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§1.  Preface.  Modal  logics  arise  throughout  computer  science.  It  is  worthwhile  to  find  the 
best  means  of  exposition  of  theory  and  applications  for  mathematics  and  computer  science 
students.  The  classical  modal  logic  texts  are  neither  oriented  toward  computer  science  nor 
mathematics.  The  computational  content  of  proof  procedures  and  bow  the  notions  apply  in 
computer  science  and  A1  applications  has  to  be  brought  out.  Here  we  start  an  exposition 
without  proofs  of  propositional  modal  logic  using  a  tableaux  method  easy  to  remember  for 
hand  computation  and  suitable  for  automated  reasoning.  The  exposition  is  analogous  to  the 
exposition  in  the  author's  lectures  on  intuitionistic  logic  (Nerode  [1990]),  also  directed  at 
computer  science  applications.  Here  one  application  exposited  at  length,  also  without  proofs, 
is  the  autoepistemic  logic  of  Moore.  fTbe  outline  of  §9  was  supplied  by  W.  Marek^*But  any 
defects  of  exposition  are  solely  due  to  present  author.  We  outline  classical  constant  domain 
modal  predicate  logic  briefly.  We  conclude  with  dynamic  logic.  We  give  a  brief  introduction 
to  a  new  intuitionistic  dynamic  logic  due  to  D.  Wijesekera,  which  is  suitable  for  dealing  with 
concurrency.  ^ 

§2.  Propositional  modal  logic.  Propositional  modal  logic  is  based  on  connectives  which 
construct  new  propositions  from  old.  We  treat  propositional  logic  first.  The  modal 
propositional  connectives  are 

"and" 

"or" 

"implies" 

"not" 

"box" 

"diamond" 

The  primitive  symbols  will  be: 


\ 


\ 


1 
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An  infinite  list  of  propositional  constants. 

The  list  of  logical  connectives  A,  V,  a,  o. 
parentheses  (,  )  and  the  comma. 

The  inductive  definition  of  (modal)  proposition  is; 

1}  Propositional  constants  are  propositions, 

2)  If  are  propositions,  then  ( a  A  /3),  ( a  V  (a  (-<a)  are  propositions. 

3)  If  a  is  a  proposition,  then  (oa)  is  a  proposition. 

4)  If  a  is  a  proposition,  then  (oa)  is  a  proposition. 

Sometimes  we  omit  parentheses,  but  just  as  often  we  put  extra  ones  in  for  legibility  in 
complex  expressions.  We  are  indisaiminate  in  using  both  upper  case  Roman  letters  aid  lower 
case  Greek  letters  for  propositions. 

Propositions  constructed  by  rules  1),  2)  alone  are  called  classical  propositions  and  constitute 
the  language  L.  Propositions  constructed  using  rules  1),  2),  3)  are  called  modal  propositions 
and  constitute  the  language  Propositions  constructed  using  1),  2),  3),  4)  are  also  called 

modal  propositions  and  constitute  the  language 

The  classical  propositions  of  L  are  intended  as  truth  functional  modes  of  statement 
composition,  that  is  the  truth  or  falsity  of  a  compound  statement  is  determined  by  the  truth 
or  falsity  of  the  parts.  This  is  the  import  of  the  truth  tables  of  propositions.  Conversely,  an.v 
truth  table  is  the  truth  table  of  a  proposition  built  from  A,  V,  Classical  propositional  logic 
was  defined  to  deal  with  exactly  all  truth  functional  connectives. 

As  for  the  modal  connectives, 

"oP"  is  read  "box  P",  or  sometimes  "necessarily  P", 

"«P"  is  read  "diamond  P",  or  sometimes  "possibly  P". 

We  prefer  the  readings  "box"  and  "diamond",  simply  because  the  interpretations  of  the 
connectives  o  and  o  symbols  in  applications  are  often  quite  different  from  those  associated 
with  "necessary"  and  "possible".  For  example,  "I  know  that",  "I  believe  that",  "John  knows 
that",  "John  believes  that"  are  often  axiomatized  using  box  with  appropriate  axioms.  A 
futlhet  reason  for  neutral  terminology  is  that  the  question  as  to  what  are  the  properties  of 
necessity  and  possibility  has  been  debated  since  the  golden  age  of  Greece. 


Remark.  Modal  propositional  connectives,  unlike  the  classical  coanectives,  never  entered  into 
the  foundations  of  classical  mathematics.  These  foundations  rest  only  on  the  classical  "truth 
functional"  propositional  connectives.  The  new  connectives  of  modal  logic  are  not  intended  to 
be  truth^unctional.  "It  is  necessary  that  P  "  should  not  depend  solely  for  its  truth  or 
falsity  on  the  truth  or  falsity  of  P,  otherwise  it  is  merely  P  or  -.P. 


3.  Frames.  C.  I.  Lewis  [1918]  introduced  modal  logic  as  a  deductive  subject  and  gave  a  notion 
of  theorem  based  on  axioms  and  rules  of  inference.  Kanger  [1957]  and  Kripke  [1959, 1963] 
gave  a  semantics  based  on  the  notions  of  frame  and  model. 


First  let  us  review  truth  valuations  of  classical  logic  L.  An  L-assignment  is  a  mapping  A 
with  domain  the  set  of  propositional  constants  to  {T,  F}.  Let  A  be  the  set  of  all 
propositional  constants  mapped  into  T  by  A.  Each  assignment  A  has  a  unique  extension 
to  a  classical  L-valuation  v  of  L,  such  that 


0)  v(P)  =  A(P)  for  all  propositional  constants  P. 

1)  v(A  A  B)  =T  iff  v(A)  =  T  and  v(B)  =  T. 

2)  v(A  V  B)  =  T  iff  v(A)  =  T  or  v(B)  =  T. 

3)  v(A  -  B)  T  iff  v(A)  ^  T  or  v(B)  =  T. 

4)  v(-.A)  =  T  iff  v(A)  #  T. 

Or  equivalently, 

0)  For  propositional  constants  P,  P  is  true  iff  P  r  A- 

1)  A  A  B  is  true  iff  A  is  true  and  B  is  true. 

2)  A  V  B  is  true  iff  A  is  true  or  B  is  true. 

3)  A  ->  B  is  true  iff  A  is  not  true  or  B  is  true. 

4)  --A  is  true  iff  A  is  not  true. 


Frame  semantics.  For  modal  propositional  logic  Kripke  introduced  the  notion  of  a  frame 
consisting  of  a  non-empty  set  3^  of  "possible  worlds"  and  a  binary  relation 
RC  Sx  Then  wRx  is  read  "x  is  accessible  from  w".  A  model  M  is  a  triple  (.?fR,  v), 
with  (^R)  a  frame  and  v(w)  a  "valuation  function"  with  domain  the  set  of  "possible 
worlds"  J'and  range  contained  in  the  set  of  revaluations,  which  assigns  to  each  w  in  an 
L— valuation  v(w).  So  the  notation  for  the  truth  value  of  the  valuation  v(w)  assigned  to 
world  w  at  proposition  A  is  v(w){A).  Here  is  a  definition  of  'V  is  true  at  w  in  M". 
Reference  to  M  is  omitted  when  understood. 
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0)  An  atomic  proposition  A  is  true  at  w  iff  v(w)(A)  =  T. 

1)  A  A  B  is  true  at  w  iff  A  is  true  at  w  and  B  is  true  at  w. 

2)  A  V  B  is  true  at  w  iff  A  is  true  at  w  or  B  is  true  at  w. 

3)  A  -•  B  is  true  at  w  iff  A  is  not  true  at  w  or  B  is  true  at  w. 

4)  -lA  is  true  at  w  iff  A  is  not  true  at  w. 

5)  dA  is  true  at  w  iff  for  every  x  accessible  from  w,  A  is  true  at  x. 

6)  oA  is  true  at  w  iff  for  some  x  accessible  from  w,  A  is  true  at  x. 

Fix  M.  We  indiscriminately  write  "A  is  true  at  w"  as  “w  h  A,  or  as  "w  forces  At 
times  this  avoids  incorrect  connotations  of  classical  truth,  and  is  a  notation  borrowed  from  set 
theory. 

In  the  forcing  notation,  the  inductive  definition  of  b  is:  for  all  w  in 

0)  For  an  atomic  proposition  A,  whA  iff  v(w)(A)  =  T 

1)  wKAaB  iff  whA  and  w  h  B. 

2)  w  K  A  V  B  iff  w  H  A  or  w  H  B. 

3)  w  h  A  -•  B  iff  not(w  h  A)  or  w  h  B. 

4)  w  h  -<A  iff  not  {w  h  A). 

5)  w  h  oA  iff  for  all  x  in  such  that  w  R  x,  x  h  A. 

6)  w  h  oA  iff  for  some  x  in  such  that  w  R  x,  x  h  A. 

Remark.  Box  "o"  and  diamond  "o"  are  written  as  "propositional"  connectives.  But  in 
model  (,?;R,  v)  the  in  w  h  oA  is  a  universal  quantifier  over  possible  worlds  accessible 
from  A  (if  any),  while  the  "o"  in  wFoA  is  an  existential  quantifier  over  worlds  accessible 
from  w.  So  to  construct  models  for  modal  propositional  calculus,  the  appropriate  method 
comes  from  classical  predicate  logic,  not  from  classical  propositional  logic. 

We  assume  as  given  an  infinite  sequence  of  constants  to  name  worlds,  "world  constants".  In 
the  tableaux  below  these  will  be  used  ambiguously  as  names  for  worlds  w  and  names  for 
classical  valuations  w  at  worlds.  That  is,  in  the  models  associated  with  tableaux  branches, 
S  will  be  a  set  of  world  constants,  and  the  accessibility  relation  R  will  be  a  relation  between 
world  constants.  This  means  that  for  the  models  constructed  by  tableaux,  the  valuation  map 
V  will  be  such  that  v(w)  =  w.  There  we  do  not  distinguish  between  names  of  worlds  and 
names  of  valuations  in  the  tableaux. 
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The  tableaux  rules  are  chosen  to  reflect  exactly  the  definition  of  forcing  in  a  model. 

4.  Propositional  tableaux.  A  tableaux  is  a  finite  labelled  tree,  with  apex  at  the  top.  Each 
node  is  labelled  by  a  "signed  formula"  TvPA  or  FvfA,  with  A  a  formula,  v  a  world 
constant.  These  are  read  respectively  "at  world  v,  A  is  true",  or  "at  world  v,  A  is  false". 

Id  addition,  at  the  base  of  some  branches  is  an  and  these  are  called  closed  branches,  the 
rest  open.  Tableaux  are  developed  (extended  to  larger  tableaux)  by  the  rules  below. 

Here  is  the  dynamic  idea  behind  constructing  a  tableaux  proof  of  A.  To  verify  that  A  is 
valid  in  all  models,  we  suppose  not,  and  search  for  a  counterexample  by  developing  a  tableaux 
with  apex  Fwl-A,  with  w  a  world  constant  not  occurring  in  A.  If  we  develop  such  a 
tableaux  according  to  the  tableaux  rules,  all  possible  ways  to  falsify  wFA  are  taken  into 
account.  If  an  immediate  contradiction  occurs  on  every  branch  at  some  point  of  the  tableaux 
construction,  all  ways  of  falsifying  A  have  been  exhausted.  A  is  valid  in  all  models.  The 
resulting  tableaux  with  contradictions  on  every  branch  is  a  proof  of  A.  A  closed  branch  is 
one  with  a  contradiction  "  at  the  base.  Open  branches  are  those  that  are  not  closed.  We 
develop  the  tableaux  by  using  entries  on  open  branches.  An  entry  is  used  by  placing  an 
appropriate  atomic  tableaux,  omitting  its  apex,  at  the  base  of  some  (or  every)  open  branch 
through  that  entry.  A  branch  is  declared  closed  soon  as  for  some  branch  and  some 
proposition  B  and  some  world  constant  w,  that  branch  has  entries  of  the  form  Twl-B, 

FwH-  B.  We  place  a  cross  at  the  base  of  each  branch  so  closed.  A  tableaux  proof  is  a 
tableaux  with  all  branches  closed. 


The  tableaux  proof  system  is  based  on  the  atomic  tableaux  for  classical  and  modal  connectives 
below.  A,  V,  -1,  □,  o.  It  is  the  equivalent  of  the  system  K  traditionally  studied  in  modal 
logic.  See  Fitting  [1983]  for  closely  related  systems  of  prefixed  tableaux,  from  which  these 
tableaux  stem.  We  also  will  extend  this  system  with  additional  tableaux  development  rules  to 
deal  with  validity  in  special  classes  of  frames. 


and 


TwF^)  A  t 

Twi-^ 

Twi-d> 


L  The  classical  connectives. 


FwFv’ 


FwFv  A  til 
FwF^ 
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or 

Twl"^  V  V* 
Tyit-ifi  Tw^V> 

impUes 

Twl-(^-<  ^ 
¥vi(ifi  Tw^l/l 

not 

TwI— iv> 

Fw^^J 


Fwl-^  V  0 


Fw/v 


FwF^  -•  }j) 
Tvih<fi 
FwF^i) 


FwF-i(^ 

TwF^e 


Example.  Here  is  a  tableaux  proof  of 

1  FwF-iB  A  (A  V  B)  -.  A 

I 

2  TwF-B  A  (A  V  B)  by  1 

3  Fwll-A  by  1 

I 

4  TwF(^B)  by  2 

5  TwF(AvB)^  by  2 

6  TwI-A  TwFB  by  5 

I  1 

7  K  FwFB  by  3, 6 

8  K  by  6, 7 


iB  A  (A  V  B)  -t  A. 


by  4 


The  number  annotations  on  the  left  and  the  reason  annotations  on  the  right  are  not  part  of 
the  formal  tableaux  proof,  but  are  useful  for  reading  a  finished  proof.  Since  "wF"  plays  no 
role  in  tableaux  for  propositions  in  the  classical  propositional  calculus  L,  it  can  be  omitted, 
getting  the  tableaux  below. 


F-’B  a(A^vB)-.  A 
T-B  A  (A  V  B) 
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FA 

I 

T-B 

I 

T(AVB) 

/  \ 

ta  tb 

1  I 

*  fb 


This  is  a  classical  tableaux  in  the  sense  of  Smullyan  [1968]. 

F.v;.mDle.  (Peirce's  Law)  Here  is  a  classical  tableaux  proof  of  another  classical  proposition. 


1 

2 

3 

4 

5 

6 
7 


F((A-.B|-A)-.A) 
FA  by  1 


T((A-B)-A) 

by  1 

/  \ 

F(A-B)  ta 

t  I 

by  3 

fb  « 

1 

by  4 

1 

TA 

by  4 

X 

by  2,  6 

Example.  Here  is  another  classical  tableaux. 


1  T((AA(-A))V(Bv(CaD)))) 

2  T(AA-A)  T(Bv(CaD))  ^by  1 

1  /  \ 

3  TA  tb  T(CaD)  by  2 

I  / 

4  T-iA  TC  by  3 

I  1 


5 


FA 


TD  by  4  by  3 
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K 


This  is  not  a  proof.  Here  we  get  a  contradiction  on  the  left  branch.  Each  of  the  other 
branches  exhibiting  valuations  making  the  topmost  signed  statement  true.  That  is,  any 
valuation  making  B  true  makes  the  topmost  signed  statement  true,  any  valuation  making 
C,  D  both  true  makes  the  topmost  signed  statement  true.  This  exhibits  the  fact  that 
counterexamples  can  be  read  off  tableaux. 


Box. 


Atomic  tableaux.  The  modal  connectives. 


Twka<p 
Tvl-yj 

provided  TwRv  occurs 
on  the  bran ch  already 

Oiamond.  Twf-oP  FwfoP 

Tvi-P  Fvllp 

Twiv 

for  a  new  v  not  yet  provided  TwRv  occurs 
occurring  on  the  branch  on  the  bran  ch  already 


FwFdv) 

Fvhi? 


vjlv 


TwKv 

for  a  new  V  not  yet 
occur  r  i  ng  on  the  branch 


Explanation.  Recall  the  definition  of  forcing  at  a  world  in  clauses  5),  6)  above.  For  any 
tableaux  entry  TwFaip  on  an  open  branch,  if  v  is  a  valuation  constant  already  occurring  in 
a  signed  formula  on  that  branch,  we  wish  to  be  able  to  adjoin  TvFip  to  the  end  of  that 
branch.  For  any  tableaux  entry  FwFqv?  on  an  open  branch,  and  any  valuation  constant  v 
not  occurring  on  that  branch,  we  wish  to  be  able  to  adjoin  to  the  end  of  that  branch  TwRv 
followed  by  Fvf  These  are  the  last  of  the  rules  of  proof  for  modal  propositional  logic  L_, 

Remark.  In  these  notes,  diamond  o  will  not  be  mentioned  again.  We  concentrate  on 


The  definition  of  semantic  validity  must  be  expressed  with  care.  A  proposition  P  is  valid  in 
a  model  ( ,3?  R,  v)  if  P  is  forced  by  every  w  in  ^  A  proposition  P  is  valid  in  a  frame 
(,?!  R)  if  for  every  possible  valuation  function  v  for  that  frame,  P  is  valid  in  the  model  ( S, 
R,  v).  A  proposition  is  valid  if  valid  in  every  frame.  So  P  is  valid  if  for  every  frame  55 
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every  valuation  v,  every  world  w  of  ^  w  forces  P. 

It  is  useful  to  have  the  notion  of  a  deduction  of  proposition  B  from  premises  Aj, 

The  notion  of  deduction  is  supposed  to  be  a  syntactical  equivalent  of  the  semantical  assertion 
that  for  all  frames  (JJR)  for  which  Aj, A^^  are  valid  in  (^R).  B  is  also  valid  for  ( .9; 

R).  The  hypothesis  is  that  for  all  i,  all  w  in  5!  w  PAj.  This  is  not  reflected  in  the  tableaux 
proof  rules  above.  We  need  an  additonal 

Atomic  tableaux  for  deductions. 

For  any  premise  Aj,  any  world  constant  v, 

the  tableaux  below  may  be  appended  to  any  open  branch 
Tv  i-  Aj 

Then  a  deduction  of  conclusion  B  from  premises  Aj,...,  is  a  tableaux  with  all  branch's 

closed  in  which 

1)  the  apex  is  FwFB 

2)  The  atomic  tableaux  for  proofs  are  allowed. 

3)  Application  of  the  tableaux  deduction  rule  for  premises  Aj,...,  A^^  is  allowed- i.e.,  the 

atomic  tableaux  for  deduction  indicated  can  be  appended  to  the  base  of  any  open  branch 
will  for  any  premise  Aj  and  any  valuation  constant  v. 


Theorem.  (Correctness).  Every  proposition  with  a  tableaux  proof  (by  rules  1-6)  is  valid  If 
proposition  B  has  a  tableaux  deduction  from  Aj, ...,  A^^,  then  B  is  valid  in  any  frame  in 

which  A,,  ..,  A„  are  valid. 

1  n 

Theorem.  (Completeness)  Every  valid  proposition  has  a  tableaux  proof.  If  B  is  valid  in  every 
frame  in  which  Aj,  •  are  valid,  then  there  is  a  tableaux  deduction  of  B  from  Aj . 

An- 

The  completeness  and  correctness  proofs  mimic  the  classical  case.  They  are  straightforward 
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by  a  "complete  systematic  tableaux  procedure"  like  that  of  Smullyan  for  classical  tableaux 
and  of  Fitting  [1983]  for  prefixed  tableaux.  They  will  be  supplied  in  a  more  complete  version 
of  these  notes. 

Example.  All  classical  tautologies  have  tableaux  proofs.  For  simply  substitute  "Twhi/j"  for 
"'Tip",  "FwFv?"  for  "Fip"  throughout  the  classical  tableaux  proof  of  the  tautology. 

Example.  Here  is  a  tableaux  proof  of  □(A  -•  B)  -•  (oA  -•  dB).  It  is  the  axiom  used  to  prove 
that  [P  :  qP  is  a  theorem]  is  closed  under  modus  ponens  in  Hilbert-style  systems  of 
propositional  modal  logic  based  on  axioms  and  modus  ponens  as  the  sole  rule  of  inference. 


1 

FwFd(  a  -•  B  )  -  (qA 

-dB) 

2 

TwFq(A  I  B) 

by  1 

3 

1 

F  who  A  □  B 

by  1 

4 

1 

TwFa4 

by  3 

5 

1 

FwhoB 

1 

by  3 

6 

TwRv  new  v 

by  5 

7 

1 

Fvt-B 

by  5 

8 

j 

TvFA 

1 

by  4,  6 

9 

TvFA-B 

by  2.  6 

10 

FvFA  TvFB 

by  9 

11 

K  K 

by  8,  7 

Example.  (Modus  Ponens)  From  premises  A,  A  -•  B,  deduce  B. 

1  FwFB 

I 

2  TwFA  -•  B  Premise 

3  TwI-A  Premise 

4  FwFA  TwFB  By  2 

«  X  By  1,  by  3 


The  semantical  equivalent  is  that  if  A  and  A  -  B  are  valid  in  a  frame,  then  so  is  B. 


n 


gxsiBEk.  From  premise  A,  deduce  oA.  This  is  called  th, 
the  deduction  below  uses  the  deduction  atomic  tableaux.) 

1  FwFoA 

2  Twilv  by  1 

3  FvFA  by  1 

4  TvFA  premise 


This  is  called  the  rule  of  necessitation.  (Line  4  of 


Fvanmle.  In  contrast,  A  -  oA  is  not  valid. 

1  FwFA-qA 

2  TwfI  by  1 

3  FwKqA  byl 

1 

4  TwRv  by  3 

5  FvfI  by  3 

,  <»  vl  R- ((w  vll,  and  evaluation  V  in  which  A  is  true  at 

This  produces  a  frame  y=  (w,  v),  R  -  U'n- 
w  but  not  at  v. 


r  A  A  cr,  a  nA  is  oot  vslid  in  all  frames.  But  A  -•  dA 

in  this  frame,  w  does  not  force  A  -  oA,  ^  «  x  r  if  wRx  and  under  the 

IS  valid  in  tho.  ^  ,  a  ^  So  L  hai  to  be  very  careful  in 

valuation,  if  A  is  true  at  w,then  A  tstri^eat  x  B 

formulating  any  sort  or-deducUont^^^^^^^^ 

Tan'^ntthtn  unwind;  the  modal  operators  as  nuantiners.  and  looV  at  tb^r  s«>pes. 

„»»  ( iA  W.  a  po..,W=  to,  possible 

K,.)  .rtlbeltoell  -  ™  .„to  ,  IP 

V  of  that  frame  (3f,  R),  m  the  model  {S,  R,  v),  e  y  ,  ^  for  ^ny  w  in  y, 

-  -A  -  B  is  a  theorem."  This  says  the  following.  In  any  model  ( . ,  ,  ), 
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if  w  forces  A,  then  w  forces  B. 

The  quantifier  structure  of  the  two  statements  is  quite  different. 

5.  Some  modal  axioms. 

Example.  oA  ->  A  is  not  valid.  It  is  traditionally  called  T.  If  d  is  interpreted  "I  know", 
then  T  says  "knowledge  is  truth",  so  it  is  called  the  "knowledge  axiom.  If  □  is  interpreted 
as  "1  believe",  then  T  says  "What  I  believe  is  true".  One  c^  have  false  beliefs. 

1  FwI-dA  -•  A 

2  TwI-  dA  by  1 

3  Fwl-1  by  1 

There  is  no  contradiction.  Reading  off  this  tableaux  the  worlds  and  the  forced  atomic 
statements  at  those  worlds,  a  one  world  frame  (.9!  R).  3f=  {w}  with  empty  accessibility 
relation  R  and  A  false  at  w  makes  oA  -•  A  false.  A  reflexive  frame  is  one  in  which  wRw 
for  every  world  w.  Looking  at  the  tableaux  line  2,  we  would  get  TwFA,  contradicting  line  3. 
So  oA  -•  A  is  valid  in  all  reflexive  frames.  Conversely,  any  proposition  valid  in  all  reflexive 
frames  can  be  deduced  from  oA  ->  A. 

Reflexive  tableaux  development  rule. 

If  w  is  any  world  occurring  in  an  entry,  at  the  base  of  any  open  branch  through  that  entry 
we  may  append  the  tableaux 

Twilw 

A  proposition  is  valid  in  all  reflexive  frames  if  and  only  if  provable  by  the  standard  modal 
tableaux  plus  the  reflexive  tableaux  development  rule. 

Example.  dA  -•  aaA  is  not  valid.  Traditionally,  this  proposition  is  called  "4".  In  newer 
papers,  this  is  called  the  "positive  introspection  axiom",  "What  I  believe,  I  believe  I  believe". 


1 

2 

3 

4 

5 

6 

7 

8 


Fwl-nA  -•  dqA 

TwI-dA  by  1 

Fwi-  ooA  by  1 

Twiv  new  v  by  3 
Fvi-oA  by  3 
Tviu  new  u  by  5 
Ful  A  by  5 

Tv/a  by  2,  4 


There  is  no  contradiction.  But  reading  off  the  true  atomic  statements  from  the  tableaux,  we 
get  a  three  world  frame  .?=  {w,  v,  u},  with  wRv,  vRu,  and  in  the  model  with  A  true  at  v, 
but  A  not  true  at  w  or  u.  This  is  a  counterexample  to  the  validity  of  oA  ->  doA,  which  is 
not  true  at  w. 


A 

W  — •  V  — » u 

The  labelled  graph  above  has  branches  representing  all  accessibility  relations  and  nodes 
representing  all  worlds.  Labels  of  nodes  are  atomic  propositions  true  at  that  world. 

A  transitive  frame  ( .?!  R)  is  one  such  that  for  all  w,  v,  u,  if  wRv  and  vRu,  then  wRu. 
Then  from  the  tableaux  we  get  TwRv,  TvRu,  so  we  get  TwRu.  Then  we  could  apply  line  2 
and  get  TuKA,  contradicting  line  7.  So  oA  -•  doA  is  valid  in  transitive  frames.  Conversely, 
any  proposition  valid  in  all  transitive  frames  is  deducible  from  oA  -•  roA.  If  we  wish  to  deal 
only  with  transitive  accessibility  relations,  we  can  add  the  following  rule  of  tableaux 
development  directly  to  those  already  given. 

Transitivity  UbTeaux  devdooment  rule. 

If  TwRu  and  TuRv  occur  on  a  branch,  we  may  append  to  all  (some)  open  branches  through 
that  pair,  the  tableaux 
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Then  a  proposition  is  valid  in  all  transitive  frames  if  and  only  if  it  has  a  tableaux  proof  using 
the  standard  modal  tableaux  rules  plus  the  transitive  tableaux  development  rule. 

Example.  -<av)  -•  a->o^  is  not  valid.  In  older  papers  this  is  often  abbreviated  E  for  the 
Euclidean  axiom,  or  5.  In  newer  papers,  this  is  called  the  "negative  introspection  axiom". 
"What  I  don't  believe,  I  believe  I  don't  believe" 


1 

2 

3 

4 

5 

6 

7 

8 
9 


Fwl— >D^  -• 
Twi-'O^j 

Fwi-D-'DvJ 
Fwi-c 


TwRv 


i. 


roi^ 


Fv 


vRu 


by 
by 
by 
by  4 


new  V  by  4 
TwRu  new  u  by  3 
FuF-'OV>  by  3 

Tu/ov>  by  8 


1 

1 

2 


If  we  read  off  the  true  atomic  sentences,  they  are  wRv,  wRu.  With  declared  false  in  all 
three  valuations,  we  get  a  model 

/  '' 
w  •  u 


in  which  w  does  not  force  -Ofi ->  An  Euclidean  frame  is  one  such  that  for  all  w,  v,  u 
in  S,  wRu  and  wRv  imply  uRv.  Looking  at  the  tableaux,  we  bad  TwRu,  TwRv.  With 
the  Euclidean  property,  we  get  also  TuRv,  by  line  9  this  gives  T\hp,  contradicting  line  6. 

So  -<Q^  -•  □-'□v?  is  valid  in  all  Euclidean  frames.  Conversely,  any  proposition  true  in  all 
Euclidean  frames  is  deducible  from  -nip  -  o-ov-  For  a  Euclidean  R  ,  for  any  world  w  in  5: 
the  restriction  of  R  to  (v  <  S-.  w  R  v]  is  an  equivalence  relation,  but  this  set  does  not 
necessarily  contain  w  itself. 

Euclidean  tableaux  development  rule. 

If  a  branch  contains  entries  TwRu  and  TwRv,  then  we  may  append  to  every  open  branch 
through  these  two  entries  the  tableaux 


Then  a  proposition  is  true  in  all  Euclidean  frames  if  and  only  if  it  has  a  tableaux  proof  using 
the  standard  modal  tableaux  plus  the  Euclidean  Tableaux  development  rule. 

Example.  dP  - -’D-'P  is  not  valid.  In  the  older  literature,  this  is  axiom  D.  In  newer  papers, 
this  is  called  the  serial  axiom.  "What  I  believe,  I  don't  believe  the  negation  of" 

Fw^□P  -•  -tD->P 

I 

2  TwJ-aP  bv  1 

I 

3  Fw8--'D-'P  by  1 

4  TwIt-o^P  by  3 

There  is  no  contradiction.  The  model  with  a  single  world  w  and  empty  accessibility  R  and 
P  false  at  w  will  do  to  falsify  dP  -*  -lo-'P.  A  serial  frame  is  one  such  that  for  every  world 
w,  there  is  a  world  v  such  that  wRv.  In  this  case  from  Tw  PoP,  Tw  I- o-'P,  we  get  Tv  ll-P. 
Tv  P  -Ip,  a  contradiction,  so  dP  -  -'O-'P  is  valid  in  serial  frames.  In  fact,  any  proposition 
valid  in  all  serial  frames  is  deducible  from  aP  -*  -iq-iP. 

Serial  tableaux  deduction  rule. 

For  any  world  constant  v  occurring  in  an  entry  on  an  open  branch,  and  any  valuation 
constant  u  not  on  that  branch,  we  may  append  to  that  open  branch  the  tableaux  below 

Tvlu 

Thus  a  proposition  is  valid  in  every  serial  frame  if  and  only  if  it  has  a  tabeaux  proof  using  the 
standard  modal  tableaux  plus  the  serial  tableaux  deduction  rule. 

Hilbert  systems  for  modal  logic.  A  standard  set  of  axioms  and  rules  of  inference  for  a  Hilbert 
style  modal  logic  called  K  defines  the  theorems  (of  K)  as  the  smallest  set  of  proposiiions 
such  the  following  hold. 

1.  All  classical  tautologies  with  modal  propositions  substituted  for  variable  are  thearems 
(These  tautologies  are  the  "axioms".) 
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2.  AH  propositions  d(A  -•  B)  -•  (dA  -*  oB)  are  theorems. 

3.  If  A,  A-*B  are  theorems,  then  Bis  a  theorem. 

4.  If  A  is  a  theorem,  then  dA  is  a  theorem. 

The  notion  of  deductive  closure  of  a  set  of  premises  S  would  replace  "aie  theorems"  by  "are 
consequences  of  S  "  in  1, 2,  3, 4,  and  add 
5)  Premises  in  S  are  consequences  of  S. 

We  have  already  shown  that  each  axiom  and  rule  of  inference  holds  for  tableaux  provability 
tising  the  standard  modal  tableaux.  Propositions  proven  by  the  tableaux  method  are  valid  in 
all  frames.  Any  proof  of  completeness  for  the  system  based  on  l)-4)  shows  that  tableaux 
provability  coincides  with  provability  in  this  system. 

Here  is  a  list  of  commonly  occurring  systems. 

-  K  is  the  proof  system  using  the  classical  and  modal  atomic  tableaux. 

This  tends  to  be  a  substructure  of  modal  systems  used  for  computer  science. 

-  T  is  K  plus  the  schema  oA  -  A  as  premises  for  deductions.  T  tends  to  be  regarded  as  the 
logic  of  knowledge  (true  beliefs). 

•  A  proposition  is  provable  in  T  iff  valid  in  all  reflexive  frames  iff  provable  by  the  tableaux  of 
K  plus  the  reflexive  tableaux  development  rule. 

-  S4  is  T  plus  the  additional  schema  oA  -»  A  and  aA  -•  ooA  added  as  premises  for 
deductions. 

•  A  proposition  is  provable  in  S4  iff  valid  in  all  reflexive,  transitive  frames  iff  provable  by  the 
tableaux  of  K  plus  the  reflexive  and  transitive  tableaux  development  rules. 

-  S5  is  S4  plus  the  additional  schema  -oA  -•  d-qA  added  as  premises  for  deductions.  A 
relation  R  on  is  transitive.  Euclidean  and  reflexive  iff  R  is  an  equivalence  relation. 

•  A  proposition  is  provable  in  S5  iff  valid  in  all  frames  with  an  equivalence  relation  on  3^  as 
accesibility  iff  provable  by  the  tableaux  rules  of  K  plus  the  reflexive,  transitive,  and  Euclidean 
tableaux  development  rules. 


There  is  more  to  say  for  S5. 
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Lenina.  Suppose  {S,  R,  v)  is  a  model  and  w  c  .?r  Define  a  model  (p,  R',  v’)  by  setting 
y  =  [w'  (  wRw'l,  R'  =  R  n  *  jf,  V'  =  V  restricted  to  p.  Then  w  forces  ifi  in 
(.SfR,  v)  iff  w  forces  ip  in  (Jf.R'.v-), 

The  proof  of  the  lemma  is  by  induction  on  the  definition  of  forcing. 

According  to  this  lemma,  ip  is  forced  by  all  v  in  all  models  S  with  R  an  equivalence 
relation  on  9  iff  forced  by  all  v  in  all  models  with  R  an  equivalence  relation  on  9  which 
has  a  single  equivalence  class,  that  is  R  =  31  A  complete  frame  is  one  where  the 

accessibility  on  3^  is  R  =  3^*  31 

The  system  S5  was  used  by  Moore  [1985]  for  autoepistemic  logic  (see  below).  The  system  S5 
is  suitable  for  reasoning  about  knowledge  in  distributed  systems,  provided  that  there  are 
many  S5  modal  connectives  one  for  each  agent  or  machine  A.  This  takes  one  beyond 

complete  frames,  the  lemma  no  longer  works  for  multiple  agents,  one  is  stuck  with  many 
equivalence  relations,  one  for  each  agent,  see  Halpern  Moses  [1984, 198?],  and  also  Lehmann 
(1984]. 

Complete  tableaux  development  rule. 

If  world  constants  u,  v  occur  in  entries,  then  we  may  append  to  the  base  of  any  open  branch 
through  those  entries  the  tableaux  below. 

Tullv 

•  A  proposition  is  provable  in  K5  iff  valid  in  all  complete  frames  iff  provable  by  the  tableaux 
of  K  plus  the  complete  tableaux  development  rule. 

—  K45  is  K  plus  the  additional  schema  -cjA  -•  o-oA,  oA  -•  ooA. 

•  A  proposition  is  provable  in  K45  iff  tfUe  in  all  transitive  Euclidean  frames  iff  provable  by 
the  tableaux  of  K  plus  the  transitive  and  Euclidean  development  rules. 

K45  is  a  candidate  (Halpern  and  Moses  [1986],  Moore  |1988|)  for  a  logic  of  belief  for  a 
"logically  omniscient  completely  introspective  rational  agent",  see  below. 

6.  Non-monotonic  reasoning.  An  important  computer  science  class  of  modal  logics  arise  in 
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artificial  intelligence  in  the  area  called  "non— monotonic  reasoning".  In  monotonic  reasoning, 
a  consequence  drawn  by  a  deduction  from  a  set  of  axioms  is  also  drawn  by  the  same  deduction 
from  any  larger  set  of  axioms.  That  is,  the  consequence  and  the  deduction  are  never 
withdrawn  later  however  the  set  of  axioms  is  enlarged.  Monotonic  reasoning  is  the  only 
reasoning  in  classical  mathematics  and  in  constructive  mathematics  as  well.  The  axioms  upon 
which  mathematics  is  based  have  been  extended  from  those  for  Euclidean  geometry  in 
Euclid's  time  (300  B.  C.)  to  those  for  calculus  in  the  time  of  Newton  and  Labnitz  (1680's)  to 
those  for  analysis  in  the  time  of  Wderstrass  (1850's),  to  those  for  set  theory  in  the  time  of 
Cantor  (1880's).  Gaps  in  proofs  may  have  to  be  filled,  but  complete  proofs  are  never 
withdrawn.  This  is  the  monotone  nature  of  mathematics,  in  which  mathematicians  never 
disagree  as  to  what  is  a  proof  and  never  reject  the  proofs  of  their  predecessors,  but  build  on 
their  results  instead.  This  characteristic  may,  in  fact,  be  unique  to  mathematics  if  one  looks 
at  the  history  of  all  other  disciplines,  scientific  or  scholarly. 

Think  of  each  logic  as  having  propositions.  These  propositions  are  certain  strings  from  a  fixed 
alphabet.  The  logic  also  has  rules  of  inference.  What  is  a  monotone  rule  of  inference?  By 
instantiating  the  rules  of  inference,  each  monotonk  rule  of  inference  can  be  cast  in  the  form 

"From  Oj, ...,  a^,  infer  7", 

where  Oj, ...,  are  propositions  (premises),  7  is  a  proposition  (conclusion). 

The  rules  of  inference  with  no  premises  we  think  of  as  the  "logical  axioms".  In  a  logic  with 
monotone  rules  of  inference,  if  A  is  a  set  of  propositions,  then  a  set  D  of  propositions  is 
^  called  a  deductively  closed  theory  containing  A  >f 

"For  each  rule  of  inference,  if  Oj, ...,  are  in  D,  then  7  is  in  D." 

In  a  logic  with  monotone  rules  of  inference,  for  every  set  A  of  propositions  there  is  a  smallest 
deductively  closed  theory  contjuning  A.  This  property  is  lost  in  the  non-monotonic  logics 
below. 

For  non-monotonic  logics  we  allow  a  more  general  form  of  rule  of  inference.  We  label 
premises  purely  formally  as  "positive"  or  "negative".  Each  non-monotonic  rule  of  inference 
can  be  cast  in  the  form 
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"If  a^, are  positive  premises  and  are  negative  premises,  infer  7", 

where  a^, aj^,  /?j, /?j^,  7  are  propositions. 

So  each  monotonic  rule  can  be  recast  as  a  non-monotonic  rule  by  labelling  its  premises 
positive  and  having  an  empty  set  of  negative  premises. 

For  a  system  based  on  non—monotonic  rules  of  inference,  a  set  D  of  propositions  containing 

set  A  is  called  a  deductively  closed  set  containing  A  if  for  all  rules  of  inference, 

if  the  positive  premises  aj, ...,  a^^  are  in  D  and  negative  premises  ..., are  not  in  D  , 

then  7  is  in  D. 

In  non—monotonic  reasoning  a  consequence  drawn  by  a  deduction  from  a  set  of  axioms  may 
not  be  a  consequence  of  a  larger  set  of  axioms,  due  to  radically  different  deductively  closed 
sets  containing  the  changed  axioms  in  the  non-monotonic  case. 

7.  Informal  Belief.  Commonsense  reasoning  is  often  non-^onotonic.  I,  a  rational 
introspective  agent,  have  beliefs  in  my  current  complete  set  of  beliefs  B  based  on  incomplete 
information.  Later  I  have  to  change  to  another  belief  set  B’  in  which  we  may  no  longer  have 
some  of  the  previous  beliefs  in  B.  We  assume  ray  belief  set  is  closed  under  classical  logical 
consequence,  that  is,  I  believe  the  logical  consequences  of  what  1  believe  (principle  of  logical 
omniscience).  We  assume  that  my  belief  set  contains  all  of  my  beliefs.  We  suppose  that  the 
facts  about  the  external  world  (objective  facts)  and  rules  1  know  for  sure  (our  knowledge  base) 
are  in  all  my  belief  sets. 

Example.  In  my  current  belief  set  B  might  be  the  propositions 

R:  "If  X  is  a  bird,  and  I  do  not  believe  that  x  cannot  fly,  then  x  can  fly" 

F:  "Tweety  is  a  bird." 

Suppose 

"Tweety  cannot  fly." 

is  pfil  derivable  from  my  belief  set  B.  My  beliefs  are  assumed  closed  under  classical 
deduction  so  we  conclude  that 


"I  do  not  believe  that  Tweety  cannot  fly." 

is  in  B.  So  applying  rule  R  of  B,  we  deduce  that  "Tweety  can  fly"  and  thus  also  we  deduce 
that 

"I  believe  that  Tweety  can  fly." 

But  B  is  closed  under  classical  deduction,  so  this  proposition  is  in  B.  I  now  visit  New 
Zealand  and  see  a  Kiwi,  and  realize  that  Tweety  is  a  Kiwi,  and  conclude 

N;  "Tweety  cannot  fly" 

In  my  new  belief  set  B'  I  retain  rule  R  and  fact  F  and  put  new  fact  N  into  B'. 

Since 

"Tweety  can  not  fly" 

is  in  B',  and  is  therfore  a  belief 

"I  believe  that  Tweety  can  not  fly" 

is  in  B',  and  the  hypothesis  of  rule  R  is  not  satisfied  for  B',  and  we  cannot  conclude,  using 
rule  R,  that  "Tweety  can  fly"  is  in  B'.  We  have  withdrawn  a  conclusion  of  B.  This  is  the 
non— monotonicity  of  the  reasoning.  If  indeed 

"Tweety  can  fly" 

is  qqL  derivable  from  B',  since  B'  consists  of  all  beliefs,  we  can  conclude  that 
"I  don't  believe  that  Tweety  can  fly" 
is  in  B'  as  weil. 

8.  Autocpistemic  logic.  The  complete  set  B  of  all  beliefs  of  an  agent  is  the  subject  of 
Moore's  autoepistemic  logic  [1984].  His  is  an  account  of  bow  an  agent  reasons  about  the 
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agent's  own  beliefs.  This  is  the  ori^n  of  the  use  of  "autoepistemic",  the  notion  of  sdf 
knowledge.  Let  be  the  set  of  all  modal  propositions  based  on  classical  connectives  and  □. 

Let  L  be  the  subset  of  classical  propositions.  Moore  reads  oP  as  "P  is  in  the  agent's 
complete  current  belief  set  B".  In  his  exposition  be  begins  with  L^^  regarded  as  a  classical 

propositional  logic  with  every  proposition  of  the  form  as  an  additional  propositional  letter 
along  with  the  usual  ones.  Thus  a  classical  deductive  closed  set  of  this  classical  L^  is 

merely  one  closed  under  classical  tableaux  deductions,  or  one  closed  under  tautologies  and 
modus  ponens.  A  classical  L^-assignment  maps  all  propositional  letters  and  all  propositions 

01^  into  {T,  F},  and  each  of  these  is  extendible  to  a  classical  L^^— valuation  with  domian  L^^ 

and  values  in  {T,  F}. 

Definition.  An  autoepistemic  theory  is  a  set  B  of  L^^-propositions  for  which  there  is  a 
classical  L^— valuation  v  such  that  B  consists  of  all  P  in  L|^  such  that  v(dP)  =  T.  Also 
V  is  said  to  be  an  autoepistemic  interpretation  of  B. 

Since  v  can  be  Lj^-valued  arbitrarily  on  any  atomic  proposition  P  and  any  modal  oQ, 
there  is  no  necessary  connection  between  the  truth  values  of  these  propositions. 

Example.  For  propositional  letters  A,  B,  we  can  define  an  Lj^— valuation  with  oA  true,  dB 

true,  □(A  A  B)  false.  So  A,  B  are  in  the  corresponding  autoepistemic  theory,  but  A  A  B  is 
not.  This  is  simply  an  instance  of  the  fact  that  we  can  L^~value  propositions  of  the  form  oP 

arbitrarily  and  independently.  So  Moore  allows  in  his  definition  of  an  autoepistemic  theory  B 
that  an  agent  may  be  incapable  of  any  reasoning  from  beliefs  to  beliefs.  This  makes  it 
possible  in  this  framework  to  study  adding  in  reasoning  abilities  of  limited  strength  by 
suitable  axioms  restricting  the  allowed  L^^-valuations.  So  the  notion  of  autoepistemic  theory 

allows  the  study  of  agents  with  varied  reasoning  abilities  by  introducing  additional  modal 
axioms  reflecting  these  abilities. 

Definition.  A  model  of  autoepistemic  theory  B  is  an  autoepistemic  interpretation  of  B  such 
that  all  propositions  in  B  are  true. 

Definition.  An  autoepistemic  theory  B  is  semantically  complete  if  B  contuns  every 


proposition  true  in  all  autoepistemic  models  of  B. 

Theorem  (Moore  [1985]).  B  is  semantically  complete  iff 

1)  B  is  closed  under  classical  L|^-consequence. 

2)  If  P  t  B,  then  dP  <  B. 

3)  If  -’(P  (  B),  then  aP  f?  B. 

These  three  properties  were  the  definition  of  a  stable  set  B  of  modal  propositions  given  by 
Stalnaker  [1980, 1989]. 

Example.  We  informally  used  the  stability  of  B  and  B'  in  the  Tweety  example. 

-  We  applied  3)  to  verify  that  rule  R  could  be  applied  to  yield  that  "Tweety  can  fly"  is  in 
B,  with  P  the  proposition  "Tweety  cannot  fly". 

-  We  applied  2)  to  verify  that  "I  believe  that  Tweety  cannot  fly"  is  in  B'.  with  P  the 
proposition  "Tweety  cannot  fly". 

Is  stability  a  reasonable  condition  for  the  complete  belief  set  B  of  a  rational  agent? 

Requirement  1)  is  that  the  agent  should  be  "logically  omniscient",  that  is,  any  classical  logical 
consequence  of  the  agent's  belief  set  B  should  also  be  in  B.  This  is  a  simplyfying 
idesilization,  since  to  recognize  that  a  given  proposition  is  a  classical  logical  consequence  of 
known  axioms  for  a  given  B  is  at  least  an  NP-complete  problem  (Halpern  and  Moses 
[1985]).  Verifying  conditions  2)  and  3)  for  specific  propositions  both  involve  this  NP-hard 
problem. 

Reformulating,  the  condition  that  B  is  closed  under  Lj^-consequence  means  exactly  that  a 

tautology  with  beliefs  substituted  for  variables  is  a  belief,  and  that  beliefs  be  closed  under 
modus  ponens.  For  a  modal  point  of  view  this  commits  us  exactly  to  the  closure  conditions  on 
B  imposed  by  deductive  closure  in  the  Hilbert  style  version  of  system  K  described  in 
section.  Equivalently,  this  commits  us  exactly  to  system  K,  of  modal  atomic  tableaux  for  o, 
together  with  the  deduction  rule  for  tableaux. 

Definition.  An  autoepistemic  theory  B  is  sound  with  respect  to  a  set  of  premises  A  iff 
every  autoepistemic  interpretation  of  B  in  which  all  the  propositions  of  A  are  true  is  an 
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autoepistemic  mode)  of  B. 

Definition.  An  autoepistemic  theory  B  is  pounded  in  a  set  of  premises  A  iff  B  is 
oontuned  in 

Cn[A  U  {op  :  p  <  B}  U  {-oP  :  ->(p  t  B))], 
where  Cn  is  the  classical  L|^-consequence  relation. 

Theorem  (Moore  [1985]!.  An  autoepistemic  theory  B  is  grounded  in  A  iff  sound  with 
respect  to  A. 

Theorem  (Moore  [1985]).  If  A  is  a  set  of  premises,  then  an  autoepistemic  theory  T 
extending  A  is  sound  and  semantically  complete  with  respect  to  A  iff 

T=Cn[A  U  {op  ;  p  e  T}  U  {-oP  :  p  ?  T}j 

Definition.  An  autoepistemic  theory  B  is  a  stable  expansion  of  a  set  of  premises  A  if  B 
contains  A  and  is  grounded  in  A. 

Moore  identifies  the  possible  complete  sets  of  beliefs  that  a  rational  agent  might  hold  after 
accepting  A  as  the  stable  expansions  of  A.  The  problem  in  dealing  with  stable  expansions  is 
that  there  can  be  none,  one,  two,  or  many,  and  the  are  not  so  easy  to  identify. 

Example.  {-■□P  -•  Q,  -■□Q-  P}  has  at  least  two  stable  expansions,  one  containing  P  but  not 
Q,  one  containing  Q  but  not  P. 

Example.  {-oP-'P}  has  no  stable  expansions.  Let  B  be  a  purported  stable  expansion.  If 
P  is  in  B  ,  then  B  is  not  grounded  and  therefore  not  a  stable  expansion.  Any  stable  If  P 
is  not  in  B,  then  -oP  is  in  B  (B  is  stable),  so  P  would  be  in  B  (B  is  grounded),  a 
contradiction. 

9.  Autoepistemic  logic  2.  I  am  indebted  to  W.  Marek  for  the  outline  of  this  section.  We  will 
repeat  from  scratch  some  of  the  same  ground  as  in  the  previous  section,  but  from  a  different 
viewpoint.  This  viewpoint  starts  out  with  a  "rational  agent",  it  does  not  lend  itsdf  as 
immediately  to  partially  rational  agents  with  limited  reasoning  powers  as  did  the  Moore 
exposition  of  the  previous  section.  We  begin  with  "list  semantics"  for  □.  We  work  again  in 


Ljj.  We  let  L  be  the  corresponding  classical  language  without  d.  This  exposition 

emphasizes  the  role  of  classical  L-valuations  v.  These  are  valuations  of  the  classical 
propositions  only,  obtained  from  assignments  to  the  classical  propositional  letters  (not  the  oP 
propositions).  If  S  is  a  set  of  modal  propositions  (called  the  “list"),  a  "list"  consequence 
relation  "1-^  g"  is  defined  from  S. 

1.  For  propositional  constants  P,l-^gP  iff  v(P)  =  T. 

*'v,S  ’■v,S 

•'v.S  ^  ‘■v,S  ‘■v,S  '*’• 

4)  Py  g  Uif  iff  (;>  <  S. 

Remark.  We  can  interpret  as  "the  agent  believes  ip",  we  can  interpret  S  as  the  list  of 
the  agent's  beliefs,  we  can  interpret  4)  as  expressing  that  if  the  agent  is  asked  if  the  agent 
believes  ,  the  agent  consults  the  "list",  and  answers  yes  in  case  \f  is  on  the  list. 

Definition  (S-entailmentl.  Let  1  be  a  set  of  modal  propositions.  Then 

1  Pg  V*  iff  for  ill  valuations  v,  P^  g  1  implies  P^  g  v’. 

Definition.  An  expansion  of  1  is  a  collection  S  of  modal  propositions  such  that  the  fixed 
point  condition  S  =  {1,5 : 1  Pg  t?}- 

Let  I  be  given,  suppose  that  S  is  being  guessed  by  the  agent.  What  does  it  mean  for  the  gues 
to  be  correct? 

1)  Whatever  is  S-entailed  should  be  in  S  (an  adaquacy  requirement). 

2)  Whatever  is  in  S  should  be  S-entJuled  (a  completeness  requirement). 

Theorem  (Moore).  The  following  are  equivalent. 

a)  S  is  an  expansion  of  I. 

b)  S  =  Cn(I  U  {o^ ;  v*  <  S)  U  {-ov  ••  ^  S)). 

(Here  Cn  is  classical  consequence). 


A  set  S  of  modal  propositions  is  called  stable  (Stalnaker,  1980)  if 

1)  closed  under  classical  deduction, 

2)  ^  e  S  implies  c  S, 

3)  v?  ^  S  implies  -h3(;)  f  S, 

Condition  3)  makes  the  reasoning  non— monotonic.  Stable  theories  are  supposed  to  represent 
the  set  of  all  beliefs  of  a  completely  rational  introspective  agent. 

The  objective  part  of  a  set  of  modal  propositions  is  its  subset  of  classical  propositions  without 

□. 


Theorem.  (Moore  [1984]). 

(i)  If  S  is  an  expansion  of  1,  then  S  is  stable. 

(ii)  If  S  is  stable,  then  S  is  an  expansion  (and  in  fact  the  unique  expansion)  of  its  objective 
part. 

Theorem  (Marek  [1986],  Konolige).  Every  collection  of  L~propositions  closed  under  classical 
L-consequence  is  the  objective  part  of  a  stable  L^^-theory. 

So  stable  L^^-tbeories  are  in  a  1-1  correspondence  with  classical  objective  L-theories. 

We  now  discuss  how  to  generate  expansions. 

Let  L^  be  the  propositions  of  with  o's  nested  to  at  most  depth  n. 

Operation  E.  Given  a  set  A  of  L-propositions, 

let  E(0,  A)  be  the  set  of  classical  L-consequences  of  A, 

let  E(n+1,  A)  be  the  sqt  of  classical  L^j-consequences  in  of 

E(n,  T)  U  {oip  :  V  r  E(n,  T))  U{{^v’ 

Let  E(T)  be  the  union  of  all  E(n,  T). 


Theorem  (Marek  [1986]).  If  A  is  a  set  of  propositions  in  L,  then  E({A})  is  the  unique 
expansion  of  A. 


26 


Thus  to  find  the  expansion  one  has  to  find  the  objective  part. 

Example.  Let  I  consist  of  -aP  ->  P  alone.  This  1  has  no  expansion.  The  only  candidates 
are:  1)  E(«)  and  2)  E({P}). 

Rel:  P  is  not  in  E(0),  so  -ciP  c  E(0j,  and  if  it  is  an  expansion,  then  P  e  E(0)  by  modus 
ponens. 

Re  2:  One  can  check  that  P  is  not  an  classical  consequence  of 
I  U  {oifi  :  f  t  E(P)}  U  {qi^  :  not  (<fi  <  E(P)}. 

Example.  Let  I  consist  of  -idP  -<  Q  and  -"qQ  -•  P.  This  I  has  two  expansions,  E(P)  and 
E({Q}).  (There  are  two  more  candidates  E(0)  and  E({P,  Q}),  but  they  are  discarded  by 
the  same  reasoning  as  above.)  Why  is  E({P})  an  expansion?  Since  Q  is  not  in  E({P}),we 
get  that  -'qQ  is  in  {->09  :  ^  E({P}).  From  this 

E({P})  =  Cn[I  E({P}))  U{-D^:  E({P})}1 

can  be  proved.  The  non— trivial  inclusion  is  from  left  to  right,  proved  by  induction  using  E(n, 

{P})- 

Example.  Let  I  consist  of  P  and  oP -•  Q.  This  has  the  unique  expansion  E(P  A  Q). 

Theorem  (Moore  [1984]).  If  Sj  and  Sj  are  two  different  stable  theories,  one  cannot  be 
contained  in  the  other. 

Thus  stable  theories  act  a  little  like  classical  complete  theories. 

Clearly  if  Cn(I)  =  Cn(J),  then  I,  J  have  exactly  the  same  expansions. 

Autoepistemic  normal  form.  An  autoepistemic  (ae)  clause  is  a  modal  statement  of  the  form 
A  ->  <r,  where 

a  is  in  L,  and 

A  is  of  the  form  av>j  A.. .A  A.. .A  A.. .A 
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where  are  in  L^. 

We  can  take  the  theories  we  are  concerned  with  to  be  generated  by  ae  clauses.  Here, 
imitating  logic  programming,  we  call  "d"  the  head  and  "A”  the  body  of  the  ae  clause. 

Theorem  (Marek  and  Truszczynski  [1988, 1989)). 

1)  For  every  I  Q  there  exists  an  I'  Q  with  the  same  expansions  such  that  the 

ae-clauses  A ->  <t  of  I'  all  have  A  of  o-nesting  depth  1. 

2)  Such  a  r  can  be  computed  in  polynomial  time. 

This  tells  us  that  the  problem  of  Byzantine  generals  does  not  exist  in  autoepistemic  logic. 

Normal  form  for  expansions. 

Theorem  (Marek  and  Truszczynski  (1988,  19891). 

Let  I  =  {Oj  =  A.  -•  ffj-.  1  <  i  <  k}.  Then 

1)  Every  expansion  of  1  is  of  form 

E({Oj:i  t  J})  for  suitably  chosen  J  C  {l,...,k} 

2)  A  theory  S  C  L  has  the  property  that  E(S)  is  an  expansion  of  1  if  and  only  if  there 
exists  a  representation  of  S  in  the  form  S  =  Cn({Oj:  i  €  J))  such  that 

(i)  ICE(S) 

(ii)  For  all  i  «  J,  we  have  that  Aj  f  E(S). 

The  problem  is  that  a  theory  S  may  have  numerous  representations  as  Cn({Oj:  i  r  J})  for 
various  J.  It  is  enough  that  Qn£  of  these  representations  has  the  property  2(ii).. 

Example.  I  =  {-oP ->  (P  A  Q),  -iaR-*P,  ->oR-*Q}.  Then  E({P  A  Q})  is  an  expansion  of 
I  for  the  following  reasop.  The  second  and  third  clause  give  "epistemic  support".  If  we  select 
our  representation  of  E{{P  A  Q})  (=E{{Pj^Q})  from  first  clause,  then  we  would  not  have  the 
necessary  epistemic  support.  Fortunately  only  one  representation  is  required  so  it  is  an 
expansion. 

Theorem  (Marek  [1986],  Moore  [1988]).  There  is  an  algorithm  which,  pven  T  C  L  and 
(  L|^,  tests  whether  or  not  ip  e  E(T). 
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This  Algorithm  cannot  be  polyoomial  time,  but  it  is  polynomial  time  in  the  characteristic 
function  of  Cn(T).  The  last  two  theorems  imply  that  we  can  effectively  compute  all 
expansions  in  the  propositional  logic  case. 

Definition,  tfi  is  ae-consequence  of  1  iff  ifi  belongs  to  all  expansions  of  I. 

The  previous  two  theorems  imply  that  this  notion  is  decidable. 

Example.  I  =  {-oP  -•  Q,  -oQ  -*  P}.  Proposition  P  V  Q  is  an  ae  consequence  of  I. 
Proposition  oP  V  dQ  is  ae-consequence  of  I.  Formula  (oP  A  -oQ)  V  (->dQ  a  qP)  is 
ae-consequence  of  I.  Neither  oP  nor  oQ  are  ae-consequence  of  1. 

Example,  (a)  I  =  {->□?  ->  P}.  I  is  consistent  but  it  is  ae-inconsistent  (since  there  is  no 
expression,  intersection  of  expansions  is  L^). 

(b)  I  =  {->qP  -*  P,  dP  -« P}  has  a  unique  expansion  E(P),  thus  it  is  ae-consisient.  Its 
subtheory  {-'oP-*P}  has  no  extensions.  Thus  there  are  ae-consistent  theories  with 
inconsistent  subtheories.  The  subtheory  {□P-*P}  has  two  expansions;  E(TAUT),  E(P). 
Thus  we  have  a  situation  in  which  the  smaller  theory  has  a  smaller  set  of  consequences 
(previously  had  bigger.,.).  The  fact  that  I  can  have  many  or  no  expansions  is  disturbing.  Are 
there  conditions  that  imply  uniqueness  of  expansions? 

Gelfand  stratification.  A  G-clause  is  a  propositon  of  the  form 

(Pj  A.. .A  P|^  A  dQj  ...  A  dQj  A  -^oSJ  A.. .A  -*  (Tj  V...V  T^), 

where  all  Pj's,  Qj's,  Sj^'s,  and  T^^'s  are  atoms.  A  theory  1  consisting  of  G-cIauses  is 

G-stratified  if  there  exists  a  representation, 
as  a  disjoint  union  I  =  Ig  U  ...  U  1^^  such  that 

a)  Ig  consists  of  the  classical  propositions  in  I. 

b)  Whenever  clause 

Pj  A...A  Pjj  A  dQj  A...A  oQj  A  xiSj  A...A  -oSjj,  -  Tj  V...V  T^ 
belongs  to  Ij,  then 

(i)  Qj, ...,  Qj,  Sj,...,  do  not  tqipear  on  the  right  hand  side  of  implication  in  any 
m  >  j  (that  is,  they  are  "defined"  in  Ig...I|_j). 
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(ii)  Pj  -  Pjj  do  not  appear  on  the  right  hand  side  of  implications  in  any  m  >  j. 

Theorem  (Gelfond  [1987]).  If  a  theory  I  consisting  of  G-clauses  is  G-stratified,  then  it 
possesses  a  unique  expansion. 

Stratification.  There  is  another  notion  of  stratification.  Theory  I  consisting  of  ae-clauses  is 
stratified  if  there  is  a  representation 

I  =  IoU...Ulk 

such  that  for  all  A->  a  e  Ij, 

(i)  If  an  atom  appears  in  a  then  it  does  not  appear  in  any  formula  in  any  1^,  k  <  j. 

(ii)  If  an  atom  appears  in  A  then  it  does  not  appear  in  the  "head"  of  any  formula  in  1^, 
k>  j 

Theorem  (Marek  and  Truszczynski  [1988]).  If  I  is  stratified  and  I  =  Iq  L) ...  U  Ij^,  then 

(a)  1  has  at  most  one  expansion 

(b)  If  S  =  E(T)  is  an  expansion  of  I  and  T  is  closed  under  Cn,  and  if  Tj  is  an 
intersection  of  T  with  the  language  whose  atoms  are  those  appearing  in  I.,  then 

(i)  E(Tj)  is  an  expansion  of  Ij 

(ii)  S  is  an  expansion  of  Tj  U  Ij_|^j  U  ...  U  I^^. 

This  theorem  tells  us  how  to  compute  expansions  recursively:  Compute  an  expansion  of  Iq. 
Sq.  Then  compute  an  expansion  of  Sq  U  Ij,  say  Sj.  Then  compute  an  expansion  of  of 
Sj  U  Ij,  say  Sj.  At  each  step  we  are  guaranteed  at  most  one  expansion.  If  we  do  not  get  one 
at  any  stage,  there  is  no'  expansion  for  I. 

Fixed  Points.  Let  ,7  be  a  modal  logic  such  as  K,  S^,  Sg,  etc.  S  is  called  an  J^fixed  point 
over  I  iff  S  =  Cny(I  u  :  tp  f  S}).  This  definition  is  due  to  McDermott. 

Theorem  (Svarts  [1989]).  Expansions  of  I  are  precisely  the  K45  fixed  points  over  I. 
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Example.  I  =  {oP  t  Q,  dQ  -•  P}  has  two  expansions,  Ej  =  E((|>)  and  E2  =  E(P,  Q). 

But  P  is  in  the  second  expansion  because  oQ  is  there,  that  is,  because  Q  is  there,  that  is 
because  oP  is  there,  that  is  because  p  is  there.  Hence  the  evidence  for  p  being  in  E2  is 

that  "p  is  there",  and  there  is  definitely  a  circularity. 

Let  us  eliminate  this  circularity.  Define  an  operator  A  as  follows.  For  S  C 
put  A(S)  =  Cn(S  U  {□(p :  <p<S)).  and  define 
Ao(S)  =  S 

An+l(S)  =  A(A„(S)) 

A„(S)  =  U,  A„(S) 

Call  T  an  iterative  expansion  over  I  if  T  =  A^(I  U  {->dv5  :  VJffT}) 


Theorem  (Marek  and  Truszczynski  (1988)).  If  T  is  iterative  expansion  over  I  then  T  is 
an  expansion  of  I. 

Iterative  expansions  are  fixed  points  with  respect  to  the  simplest  modal  logic  in  which  there  is 
classical  tautologies,  modus  ponens,  and  necessitation,  but  no  specific  modal  axiom  such  as 
K,  T,  4  or  5. 

Connection  with  Logic  Programming.  Given  a  logic  program  P,  let  11  =  ground(P)  be  the 
set  of  all  ground  instances  of  P.  Then  11  consists  of  expressions  of  the  form 

C:  P-Qj,...,Qj.,-«Sj . --Sj 

To  such  clause  assign  its  Gelfond  translation 

G(C)  =  Qj  A...A  Qj  A  -cSj  A  ...  A  -oSj  -  P 
G(n)  =  {G(C) :  C  e  n) 

If  P  is  stratified  in  the  sense  of  Apt-Blair-Walker  then  G(n)  is  G-stratified. 

Xtigaem- 
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(a)  (Gelfond  [1987]).  Let  P  be  stratified.  Let  Mp  be  its  "perfect"  model  in  sense  of 
Apt-BIair-Walker.  Then  E(Cn(Mp))  is  the  only  expansion  of  G(n). 


(b)  (Marek  and  Truszczynski  [1988])  E(Cn(Mp))  is  an  iterative  expansion  of  G(n). 


10.  Autoqiisteniic  logic  and  Euclidean  transitive  frames.  The  semantics  of  §8,  §9  using  L^^ 

and  L  valuations  respectively  is  the  classical  logic  way  of  doing  things.  It  is  natural  that 
there  is  an  equivalent  in  frame  semantics. 

Theorem  (Moore  [1984]).  T  is  a  stable  autoepistemic  theory  if  and  only  if  T  is  the  set  of  all 
valid  modal  proposii '^ns  of  a  complete  frame. 

This  was  also  proven  by  Halpern  and  Moses  and  Levesque. 

Since  the  complete  graphs  (in  which  directed  branches  extend  from  every  node  to  every  node) 
are  determined  up  to  isomorphism  by  the  cardinality  of  the  nodes  alone,  one  can  restrict  the 
complete  frames  for  this  theorem  to  those  of  the  form  K  =  ( ,^  R),  where  the  set  of  worlds  S’ 
is  a  set  of  classical  valuations  (of  the  propositional  letters)  and  R  is  S.  Introduce  for 
each  classical  valuation  V  a  copy  (V,  0),  to  be  used  as  a  new  world  distinguished  from  world 
V  if  the  latter  is  present  in  S.  Call  it  the  distinguished  V.  Each  pair  consisting  of  K  and 
a  distinguished  V  gives  rise  to  an  ordinary  Euclidean  frame  Ky  =  (3^,  R'),  where 

S'  =  {(V,  0)}  and  R'  =  R  U({(V,0)}  »  3^.  That,  is,  every  W  in  K  is  accessible  from 

(V,0)  (including  V  if  the  latter  is  in  ,?5,  but(V,  0)  is  not  accessible  from  any  world  in  K. 
There  is  a  natural  extension  of  Ky  to  a  model,  where  each  world  V  in  K  is  assigned 

valuation  V,  and  (V,  0)  is  assigned  valuation  V. 

Now  let  B  be  an  autoepistemic  theory.  Such  a  mode!  Ky  with  the  assignment  above, 
arising  from  a  complete  model,  is  called  a" 

— '  possible  worlds"  interpretation  of  B  iff  B  consists  of  all  the  propositions  valid  in  this 
model. 

—  "possible  worlds"  model  of  B  iff  every  proposition  of  B  is  true  in  Ky. 
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Theorem  (Moore  [1988]).  The  "possible  worlds"  models  Ky  of  B  are  precisely  those 
"possible  worlds"  interpretations  in  which  V  is  a  member  of  9. 

This  affords  a  back  and  forth  translation  of  autoepistemic  interpretations  and  autoepistemic 
models  of  stable  theories  to  "possible  worlds"  interpretations  and  "possible  worlds"  models  as 
defined  above.  Moore  [1984, 1988]  uses  these  semantic  "possible  world"  characterizations  to 
investigate  stable  expansions,  and  decision  methods  for  semantic  entailment.  His  method 
amounts  to  the  use  of  the  "list  semantics"  of  the  last  section.  There  is  a  nice  tableaux-based 
approach  which  can  be  redone  in  the  style  of  the  present  lectures  due  to  Niemelk  [1986].  We 
omit  these  applications,  which  will  be  in  an  expanded  version  of  these  lectures,  for  lack  of 
space. 

§11.  Modal  predicate  logic  with  constant  domuns.  We  introduce  very  briefly  a  modal 
predicate  logic  within  classical  logic  intended  to  describe  a  single  "constant"  domain,  with 
different  true  atomic  statements  at  different  worlds.  This  logic  can  be  extended  to  have 
several  modalities  we  do  not  do  this  here.  Dynamic  logic  uses  this  model,  there  the 

constant  domain  is  the  set  of  all  states  of  a  machine,  the  are  induced  by  programs  or 

commands.  This  formulation  covers  theories  of  beliefs  or  knowledge  for  several  agents  at  once 
about  a  fixed  domain  of  individuals  as  well,  one  Dj  for  each  agent.  The  earliest  example  of 

such  a  theory  is  Hintikka  [1962],  see  also  Konolige  [1986]  or  Halpern  and  Moses  [1985]  for 
further  references.  Here  is  the  list  of  primitive  symbols. 

Predicate  letters  of  degree  n. 

An  infinite  list  of  variables 
an  infinite  list  of  (individual)  constants 
Lopcal  connectives  A,  V,  ,  3,  V 
parentheses  (,  )  and  a  comma. 

The  inductive  definition  of  formula  and  free  occcurence  of  variables  is: 

1)  If  R  is  a  predicate  letter  of  degree  n  and  Oj,  are  variables  or  constants,  then 
R(aj, ...,  is  a  formula.  (These  are  called  the  atomic  formulas.)  In  atomic  formulas  all 
occurrences  of  all  variables  are  free. 
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2)  If  a,  ^  are  formulas,  then  (a  A  ^),  (a  V /?),  (o-*  ;3),  (-<0)  areformulas.  Occurrences  of 
variables  in  these  formulas  are  free  or  bound  as  they  were  in  a,  0- 

3)  If  a  is  a  formula,  x  is  a  variable,  then  ((3x)a),  ((Vx)a)  are  formulas.  Occurrences  of 
variables  other  than  x  are  free  or  bound  in  these  formulas  as  they  were  in  a.  variable  x  is 
bound  in  all  its  occurences  in  these  formulas. 

3)  If  a  is  a  formula,  then  (oa)  and  (oa)  are  formulas.  Variables  are  free  or  bound  in  these 
statements  as  they  are  in  a. 

A  statement  is  a  formula  in  which  all  occurrences  of  all  variables  are  bound. 

This  determines  a  language  It  has  a  purely  classical  sublanguage  L  obtuned  by 

omitting  all  reference  to  clause  3). 

We  need  the  notion  of  substitution.  If  we  write  a  formula  v>  as  ^  a  variable,  and 

c  is  a  constant,  then  (p(c)  is  the  result  of  substituting  c  for  all  free  occurrences  of  x 
throughout  ifi. 

For  the  sake  of  defining  the  usual  notion  of  "relational  system"  in  a  form  exactly  appropriate 
for  tableaux,  assume  that  L  has  no  constants  itself.  Let  C  be  a  set  of  individual  constants 
and  extend  L  to  a  language  L(C)  by  adding  in  C  to  L.  An  assignment  A  for  L(C)  is  a 
map  of  the  atomic  statements  of  L(C)  to  {T,  F}.  Each  assignment  A  is  extended 
uniquely  to  a  valuation  V  mapping  the  statements  of  L(C)  to  {T,  F},  by  the  inductive 
definition  below. 

0)  V(P)  =  A(P)  for  all  atomic  statements  P. 

1)  V(A  A  B)  =T  iff  V(A)  =  T  and  V(B)  T. 

2)  V(A  V  B)  =  T  iff  V(A)  =  T  or  V(B)  =  T. 

3)  V(A  -  B)  T  iff  V(A)  i  T)  or  V(B)  =  T. 

4)  V(-.A)  =  T  iff  V(A)  #  T. 

5)  V((3x)vJ(x))  =  T  iff  for  some  constant  c  of  C,  V(v>(c))  =  T. 

6)  V((Vx)ip(x))  =  T  iff  for  all  constants  c  of  C,  =  T. 

In  the  notation  common  in  predicate  logic,  an  assigment  defines  a  relational  system  for  L 
with  domain  C.  This  relational  system  has  each  relation  symbol  R  of  degree  n  of  L{C)q  ^ 

denote 
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[(c . V(R(Cj, ....  cj)  =  T]. 

The  definition  of  model  (^R)  for  modal  predicate  logic  with  constant  domains  goes 
follows.  Frames  are  the  same  as  in  propositional  calculus,  a  pair  ( y,  R)  consisting  of  a 
non-empty  set  of  "possible  worlds"  and  an  "accessibility  relation"  RC  yx  A  model  is 
given  by  a  set  C  of  individual  constants  (the  "constant  domain")  and  a  map  v  (the 
valuation  function)  assigning  to  each  vi  t  S  a.  valuation  v(w)  of  L(C).  The  definition  of 
"whv>"  for  statements  ifi  of  L(C)^  o  follows. 

0)  w  b  P  for  atomic  statements  P  iff  v(w)(P)  =  T 

1)  wFAaB  iff  wFA  and  w  h  B. 

2)  w  b  A  V  B  iff  w  H  A  or  w  H  B. 

3)  w  b  A  -•  B  iff  w  K  A  implies  w  K  B 

4)  w  K  ->A  iff  not  w  b  A 

5)  w  K  oA  iff  for  all  w'  in  S  such  that  w  R  w',  w’  b  A. 

6)  w  b  oA  iff  for  some  w'  in  ,?such  that  w  R  w',  w,  w  b  A. 

7)  w  lb  {{3x)i^x))  iff  w  lb  i;){c)  for  some  c  in  C. 

8)  w  b  ((Vx)^x))  iff  w  for  all  c  in  C. 

The  reason  these  are  called  "constant  domain"  models  is  that  the  domain  C  of  the  relational 
system  assigned  to  each  world  is  precisely  the  same.  In  constant  domain  models  we  do  not 
have  to  worry  about  any  change  in  denotation  of  a  constant  from  world  to  world.  The 
constants  are  the  same  in  every  world  and  can  be  thought  of  as  having  the  same  denotation, 
and  even  may  be  thought  of  as  denoting  themselves.  The  big  diffr-.-ence  between  worlds  is 
that  the  atomic  statements  R(Cj, ...,  c^^)  forced  in  one  world  may  not  be  forced  in  another 

world. 

The  definition  of  "valid  in  a  frame"  and  "valid  in  a  model"  and  "valid"  are  as  for 
propositional  logic.  Using  the  tableaux  before,  correctness  and  completeness  are  routine. 

Constant  domain  tableaux.  We  need  a  countable  list  of  world  constants  just  as  in  modal 
propositional  logic..  We  also  need  a  countable  list  of  new  individual  constants,  to  be  used  in 
the  tableaux  to  name  elements  of  an  intended  constant  domain.  These  individual  constants 
are  used,  as  in  tableaux  for  classical  predicate  logic  (Smullyan  [1968])  as  witnesses  for 
existential  quantifiers.  Here  is  the  motivation,  similar  to  that  for  classical  logic,  but  for 
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frames.  Each  branch  b  of  a  tableaux  is  viewed  an  attempt  to  build  a  model  in  which  each 
forcing  statement  on  the  branch  holds  as  stated.  So  the  frame  would  consist  of  the  set  9  of 
world  ooitstants  w  mentioned  on  b;  the  constant  domain  C  would  be  the  set  of  all 
constants  occurring  on  b;  the  model  based  on  this  frame  has  the  valuation  at  world  w  with 
atomic  statement  R(Cj, ...,  c^^)  true  iff  Twl-R(Cj, c^j)  occurs  on  b.  When  a  branch  b  is 

contradictory  in  such  a  tableaux  development,  this  attempt  to  build  a  model  has  failed. 

When  all  such  attempts  to  build  a  model  have  failed  on  all  branches,  we  have  a  tableaux 
proof. 

We  add  the  usual  atomic  tableaux  rules  for  predicate  logic  quantifiers  (Smullyan  [1968])  to 
those  of  modal  propositional  logic.  The  rules  for  T(Vx)i,j(x),  F(3x)vKx)  are  set  up  to  handle 
the  constant  domain  situation  only,  since  we  are  allowed  to  instantiate  using  constant 
already  on  the  branch.  We  have  assumed  that  ^  ^  has  no  constants  itself. 

Quantifier  atomic  tableaux  for  constant  domains. 

Universal 


Twl-(Vx|v>(x)  Fwl-(Vx)v)(x) 

TwFv)(c)  FwFvKc) 

For  any  c  For  a  new  c  not  occurring  on 

any  entry  above  on  the  branch 


Existential 


TwF(3x)vi(x) 

TwFvijc) 

For  a  new  c  not  occurring  on 
any  entry  above  on  the  branch 


FwF  ( 3x)vJ(x) 

_  Fwl-vKc) 

For  any  c 


Ex.aroBlfi- 
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1  Fwl-(Vx  )dA(x)  -•  o(Vx)A(x) 


2 

TwF(Vx)aA(x) 

by  1 

3 

FwFo  (Vx )  1  ( x) 

by  1 

4 

1 

TwRv 

by  3 

5 

X 

> 

> 

A(x) 

by  3 

6 

Fvl-Al 

c )  new  c 

by  5 

7 

TwFoi 

Uc) 

by  2 

8 

Tvl-A(c)  by  7 

So  (Vx)aA(x)  □(Vx)A(x)  is  provable. 
Example.  (Vx)-'avJ-* -'a(3x)(^. 


1  Fwl-(V  x )-’□¥) -•  ''0{3x)v? 


2 

TwF(Vx)-'Qi5 

by  1 

3 

FwF-'0(3x)i,j 

by  1 

4 

TwFo(3xjv? 

by  3 

5 

Twl-->as<’(  c ) 

by  2 

6 

Fwl-ov’(  c ) 

by  5 

7 

Twilv 

1 

by  6 

8 

Fvl-^pic) 

by  6 

9 

Tvl-  ^x)ip 

by  4 

10 

Tvhi>(d)  1 

lew  d  by  9 

This  is  not  a  proof.  With  domain  C  =  {c,  d),  and  two  worlds  w,  v,  with  v  accessible  from  w 
and  no  atomic  proposition  holding  in  wand  V>(d)  holdinginv,  we  get  a  counterexample. 


w 
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Just  as  in  dassicai  predicate  tableaux,  tbe  constructions  are  as  helpful  for  finding 
counterexamples  as  for  finding  proofs.  We  remark  that  the  same  tableaux  method  applies  in 
case  more  general  situations  than  constant  domains  are  allowed  But  the  semantics  intended 
for  individual  constants  then  has  to  be  very  precisely  specified  before  it  becomes  obvious  what 
tbe  appropriate  tableaux  rules  for  quantifiers  are. 

§12.  Classical  Dynamic  Logic.  Hoare  [1969]  designed  a  logic  for  expressing  program 
specifications  and  for  proving  "partial  correctness"  of  programs.  A  basic  construct  of  his  logic 
was  A{P}B,  meaning  that  if  A  holds  before  tbe  execution  of  program  P,  then  B  holds 
afterwards  (Gries  [1981]).  Pratt  [1976]  was  motivated  by  this  to  develop  a  modal  logic  of 
programs  in  which  each  command  c  in  a  computer  language  implemented  on  the  machine  is 
associated  with  two  distinct  modal  connectives  and  o^.  See  Pratt  [1976, 1980],  Harel 

[1984],  and  Kozen  and  Parikh  [1982].  Dynamic  logic  will  be  well  covered  in  a  forthcoming 
article  by  Kozen  and  Tiuryn  [1989]  in  the  new  Handbook  of  Theoretical  Computer  Science,  to 
appear.  We  take  the  material  in  the  next  two  paragraphs  from  that  paper  of  Kozen  and 
Tiuryn  ,  to  which  the  reader  is  referred. 

Here  is  a  brief  explanation.  A  simple  model  of  sequential  computing  is  that  the  current  state 
of  a  sequential  machine  is  determined  by  an  assignment  of  values  in  storage  locations  to 
variables.  Call  such  an  assignment  a  store.  Let  be  the  set  of  all  possible  stores.  Let  c  be 
a  single  command  in  the  language.  Corresponding  to  c  introduce  a  relation  R^,  C  yx  y  by 

the  definition  that  wR^w’  iff 

when  the  store  is  w  and  command  c  is  executed, 
at  the  end  of  execution,  the  store  is  w'. 

(Of  course,  c  could  be  a  program  taking  many  machine  cycles  to  execute.)  Let  y  be  the  set 
of  all  stores,  let  be  the  set  of  all  commands  c  of  the  computer  language.  Define  a 
"multiple  modal"  propositional  logic  frame  [S,  relation 

Q  y  for  each  command  c  in  if.  Introduce  a  modal  logic  having  a  modal  connective 
□j.  and  for  each  c  <  If. 

Propositional  dynamic  logic  has  propositions  of  the  form  a^ip,  0^9  for  program  or  command 
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c. 

—  o^ifi  is  interpreted  as  meaning  that  if  anx  execution  of  c  terminates  in  a  state  s,  then  if 
holds  at  s. 

is  interpreted  as  meaning  that  there  us  an  execution  terminating  in  a  state  s  with  f 
holding  at  s. 

The  connectives  mentioned  are  not  the  only  ones  used  in  propositional  dynamic  logic.  There 
are  additional  operations  for  constructing  new  commands  or  programs  from  old,  stemming 
from  the  theory  of  regular  events. 

Classical  oronositional  dynamic  logic. 


Syntax 

Atomic  program  letters  -  (lower  case  Greek) 

Propositional  letters  -  (Upper  case  Roman) 

1)  Atomic  program  letters  are  programs. 

2)  If  a,  0,  are  programs  then  so  are  (r,0 ,  o*  ,  oi)0 ,  ^?,  where  f  is  a  proposition. 

3)  If  a,  0  are  programs  and  A,  B  are  propositions,  then 
A  A  B,  A  V  B  ,  ->A  ,  n^A,  o^A  are  propositions. 


Semantics 

A  modal  frame  (Kripke  model)  consists  of  a  set  S  of  "states"  or  "possible  worlds,  together 
with  a  set  of  accessibility  relations  {R^},  one  for  each  atomic  program  o. 

Extend  R  to  all  programs  by 

^0-0  =  {(s,  t)  :  (3u)((s,  u)  <  R^  A  (u,  t)  e  R^}, 

=  {(u,  u) ;  u  satisfies  to). 


Satisfaction  is  defined  as  for  ordinary  modal  logic,  except  that  different  accessibilities  are  used 
for  different  programs. 
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Axiomatization 

1)  Axioms  for  propositional  logic 

2) 

3)  cJifiV  tr) ->  V  o^ir. 

6)  JT, 

7)  (i,5Vo^(o^,(^))->o^,(;>, 

8)  (',5VO^.(^V)AO^(p)). 

Rules  of  inference. 

Modus  ponens. 

From  A,  A  ->  B,  infer  B. 

Modal  generalisation. 

From  A,  infer  a^A  for  all  programs  a. 

Classical  predicate  dynamic  logic.  Here  is  a  little  about  classical  predicate  dynamic  logic.  In 
classical  first  order  logic,  the  truth  or  falsity  of  a  formula  in  a  relational  system  is  determined 
as  soon  as  values  in  the  domain  of  the  relational  system  are  assigned  to  all  free  variables.  In 
programming  environments  the  values  assigned  to  programming  variables  vary  from  stage  to 
stage  during  the  execution  of  a  program.  We  need  a  predicate  language  which  can  handle 
changing  assignments  of  values  to  programming  variables  for  a  sufficiently  wide  class  of 
programs.  Within  classical  logic,  the  propositional  dynamic  logic  of  Pratt,  Harel,  and  Kozen 
was  generalized  by  them  as  follows  to  a  predicate  modal  logic.  Let  the  set  S  of  states  be  the 
set  of  all  assignments  f  which  map  the  set  of  program  variables  into  the  domain  of 

a  relational  system  M.  Each  such  F  assigns  values  to  terms  of  the  language.  A  program 
can  be  viewed  as  inducing  a  transformation  on  states.  Given  an  initial  state,  the  program 
will  go  through  a  series  of  intermediate  states,  perhaps  eventually  halting  in  a  final  (output) 
state.  In  dynamic  logic  a  program  is  a  well-formed  expression  built  inductively  from 
primitive  programs  using  a  small  set  of  program  constructors  which  are  usually  taken  to  be  ;  ( 
sequential  composition  ) ,  *  { iteration)  and  U  (non  deterministic  choice)  .  Dynamic  logic 
interprets  these  programs  semantically  as  input/output  relations  on  a  suitably  chosen  set  of 
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states  which  makes  it  a  good  formalism  to  describe  those  properties  that  manifests  in  the 
input/output  relations  of  a  program  thereby  making  Dynamic  logic  undesirable  to  formalise 
properties  of  programs  that  are  not  supposed  to  halt.  One  is  given  an  input-output 
specification,  a  formal  relation  between  the  input  and  output  states  that  the  program  is 
supposed  to  maintain.  The  input/output  relation  of  a  program  carries  all  the  information 
necessary  to  determine  whether  the  program  is  correct  relative  to  such  a  specification.  In 
dynamic  logic,  programs  are  first-class  objects  on  a  par  with  formulas,  complete  with  a 
collection  of  operators  for  forming  compound  programs  inductively  from  a  basis  of  primitive 
programs.  In  the  case  of  first  order  dynamic  logic,  the  atomic  programs  are  taken  to  be 
assignment  statements 

Xi<-t, 

where  Xj  is  a  variable  and  t  is  a  term.  The  states  are  taken  as  set  S  of  total  assignments  of 
values  in  the  relational  system  to  the  program  variables.  R  ,  ,  denotes 

{(F,  G)  :  F,  G  €  S  A  G  =  F(F(t)/Xj)} 

The  rest  is  taken  from  propositional  dynamic  logic. 

§13.  Intuilionistic  dynarruc  predicate  lope  (Wijesekera).  Note  that  in  classical  dynamic 
logic,  propositional  or  predicate,  the  "states"  are  assumed  as  completely  known  in  order  to 
carry  out  these  valuations.  In  most  actual  situations,  we  have  only  partial  knowledge  of  the 
complete  state  of  the  machine,  say  the  readings  from  a  few  pertinent  registers  and  stacks. 
What  kind  of  logic  can  make  effective  use  of  "partial  knowledge"  of  states?  Wijesekera 
proposes  an  intuitionistic  system  of  dynamic  logic,  and  the  use  of  Kripke  models,  based  on 
partial  knowledge  of  assignments.  See  Nerode  [1990]  for  explanations  as  to  why  Kripke 
models  of  intuitionistic  reasoning  reflect  increasing  partial  knowledge  of  states.  We  also  wish 
to  be  as  constructive  as  possible  for  another  reason.  We  believe  that  much  more  constructive 
systems  have  to  be  developed  with  term  extraction  for  many  of  these  logics  to  make  them 
tools  for  automated  reasoning.  A  beginning  has  been  made  by  Duminda  Wijesekera  [1989]  in 
modal  intuitionistic  logic  with  two  different  kinds  of  accessibilities,  one  the  modal 
accesssibilities  for  the  problem  at  hand,  one  for  intuitionistic  increase  of  knowledge.  These 
logics  have  correctness  and  completeness  theorems.  They  have  been  applied  to  model 
concurrency  by  using  a  constructivised  version  of  Peleg's  model  of  concurrency  Peleg  [1987]). 
They  have  also  been  applied  to  give  a  good  intuitionistic  dynamic  logic  with  decent  term 
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extraction  properties.  Such  features  are  characteristic  of  intuitionistic  natural  deduction 
systems  and  not  characteristic  of  their  classical  counterparts,  modal  or  otherwise.  This  may 
prove  to  be  important  for  implementation  as  tools  in  systems  such  as  Constable's  NuPRL. 

Let  K  be  a  Kripke  frame  for  first  order  intuitionistic  logic.  Let  S  be  the  set  of  partial  maps 
of  assignments  into  worlds. 

Definition.  (F,  G)  t  iff 

F,  G  f  S  are  mapped  into  the  same  world  in  the  Kripke  model,  and 
F  ,  G  are  defined  at  x, 
and  G  =  F(F{t)  /  x). 

Definition.  F  <  G  iff 

1)  the  world  that  F  is  mapped  into  is  below  the  world  that  G  is  mapped  into  in  the 
intuitionistic  partial  order,  and 

2)  If  F(x)  is  defined,  then  so  is  G(x),  and  they  take  the  same  value. 

The  following  conditions  are  consequences  of  the  definitions  above. 

1)  If  F  <  G  and  (F,  F')  f  R^,  then  there  is  a  G'  satisfying  F'  <  G',  and  (G,  G')  e  R^. 

2)  If  (F  ,F')  (  R^  and  F' <  G',  then  there  is  a  G  such  that  F<^G  and  (G  ,G')  f  R^. 

The  meaning  of  the  ordinary  logical  connectives  is  the  same  as  in  intuitionistic  logic. 

Definition.  We  say  that  w  F  if 

there  is  a  w'  such  that 
(w,  w')  {  R^  and  w'  F  ip. 

Definition.  We  say  that  w  F  a^ifi  if 
whenever  w<w'  and  (w,w")«R^, 
we  can  conclude  that  w"F  y?. 


The  notion  of  satisfaction  used  here  is  the  one  usually  called  local  satisfaction  in  a  frame. 
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That  is,  r  I-  ^  semantically  means  that  (or  all  w  in  the  frame,  w  h  F  implies  that  w  h 

We  can  prove  correctness  and  completeness  relative  to  this  semantics  for  the  following 
axiomatic  systems. 

(1)  Axioms  of  Heyting  predicate  logic. 

(2)  Scott's  axioms  of  the  logic  of  existence,  equality  and  strictness  axioms. 

(3)  The  propositional  dynamic  logic  axioms. 

We  change  the  notation  for  modalities  corresponding  to  programs  to  the  standard  notation  of 

dynamic  logic  for  the  operators.  It  is  otherwise  hard  to  read  the  axioms. 

Write  <0!>  foro  and  write  [a]  for  □  . 

a  ^  ‘  a 

- -  <a><P>ifi, 

<oU  /?>¥>' - -  </?>¥>, 

V  $)  - - 1  <a>^  V  <q>6, 

<tp'!>6i - -  6, 

9  * 

<a  - -  <^v  <a><a  >9, 

[a:  - '  [all/J]!,?, 

[a  ]¥>' - -  [o][a  ]v5, 

^<a>ip< - •  [a](-’Vi), 

(<a>T  —  [a]v5)  —  [a]v?, 

(<a>T  —  [o]v!)  — *  [a]vJ, 

<a>x — '  i., 

(<o>v>— '  la]Jj  V  [ojtfj)  —  V  flj)- 

Here  is  what  is  needed  for  the  deduction  theorem. 

(a]((p— tf) (lalv>— [a]tf), 

*  ff)  A  <a — ><a>ff, 

[a]v>A  <a>(v— •  S)  —>  <a>¥i, 

<Xj  —  a>v)(Xj) « - 1  ^tjtjltj  =  Xj  A  tj  =  a  A  vfKtg)], 

[xj  *—  a]vi(Xj)  - - -  Vtjtjltj  =  xj  A  tj  =  a  —  V)  (tj)). 
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Rules 

Rules  of  quantification  of  E'*'  logic. 

(This  is  Scott's  logic  of  partial  existence  (Tcoelstra  and  van  Dalen  [1988]) 

Modus  Ponens 

Substitution 

if{x)  Et 


Modal  Rules 


(^  ( t/x ) 

r,  A  (-  B 


[a]r,  <a>A  1-  <a>B 


r  I-  A 


Hr  h  HA 


Propositional  dynamic  logic  rules. 


rhv)— [/llHlfl  for  alii 
r  h  1^— •  [/3i(o 


rh<ff><a'>^— 9  for  alii 


r  I-  <0>  <a  >  ip—<  9 


Intuitionistic  concurrent  dynamic  Lode  (Wijesekera).  This  is  a  refinement  of  Peleg's  model 
of  concurrency.  Here  we  add  an  extra  program  construct  n.  This  a  n  is  supposed  to  mirror 
the  fact  that  a  and  0  are  executed  simultaneously,  starting  from  a  common  state  w.  So 
each  program  or  now  denotes  an  c  S  *  P(S),  where  P(S)  is  the  power  set  of  the  set  of 


states. 
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Definition.  We  say  that  wh<a>^  iff  3TCS  such  that 

(w,  T)  f  and 

w'  h  for  each  w'  e  T. 

Definition.  We  say  that  w  h  [a]vj  if  for  all  w'  >  w  and  all  T'  C  S  such  that  (w',  T')  t 
and  all  w"  €  T',  we  have  w"  H  <fi. 

We  have  to  redefine  composition  and  *  all  over  again  (see  Peleg  [1987]). 

Definition.  R^^^  is  the  set  of  all  pairs  (w,  T)  such  that 

3T'  C  S  with  (w,  T')  t  R^,  and 

for  all  u  in  T',  there  is  a  such  that 

(u,T  )  cRjand  T=  U  T 
^  u  €  T' 


Definition.  R  *  is  U  R  n. 

It-.  1  »-Y»;  ^  ^ 

There  is  a  axiomatization  for  the  concurrent  case  similar  to  those  we  have  supplied  for  the 
sequential  dynamic  logic. 

§14.  Closing  note  Other  logics  have  been  designed  for  non  terminating  and  perpetual 
processes  such  as  operating  systems,  and  for  concurrent  programs.  In  temporal  logic,  the 
program  is  fixed  and  considered  part  of  the  structure  over  which  the  logic  is  interpreted.  Such 
a  logic  is  sometimes  called  an  endogenous  logic  The  current  location  in  the  program  during 
execution  is  stored  in  a  special  variable  for  that  purpose,  called  the  program  counter,  and  is 
part  of  the  state  along  with  the  values  of  the  program  variables.  Instead  of  program 
operators,  there  are  temporal  operators  that  describe  how  the  program  variables,  including  the 
program  counter,  change  with  time.  Temporal  logic  lacks  the  ability  of  dynamic  logic  to 
combine  programs, and  deal  with  several  programs  in.  the  same  model ,  but  because  it  deals 
with  execution  sequences,  temporal  logic  (and  another  subject,  process  logic),  can  deal  with 
correctness  of  perpetual  programs  and  programs  that  sometimes  halt,  such  as  operating 
systems  and  communication  networks.  Pnuili  (1977]  suggested  that  temporal  logics  could  be 
used  to  reason  about  concurrent  programs,  when  the  issue  of  termination  ought  to  be 
suppressed  from  the  discussion.  Temporal  logic  began  as  a  formal  axiomatic  subject  (tense 
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logic)  in  Prior  [1955].  Temporal  logic  also  has  a  natural  "possible  worlds"  Kripke  model 
theory.  Syntax  and  semantics  of  various  temporal  logics  from  a  philosophical  point  of  view 
and  without  computer  science  may  be  found  in  the  excellent  texts  of  Rescher  and  Urquhart 
[1971],  McArthur  [1976],  van  Benthem  [1983].  The  1960's  introduced  the  problem  of  program 
specification  (what  a  program  is  supposed  to  do),  program  development  (find  a  program 
which  is  supposed  to  satisfy  the  specification),  and  program  verification  (verify  that  the 
program  satisfies  its  specification).  Floyd  [1967]  developed  the  "inductive  assertion  method" 
for  verifying  that  a  flowchart  program  (built  up  from  conditional  branching,  join  of  control, 
and  assignment)  for  computing  such  a  function  satisfies  "partial  correctness"  (if  the  program 
terminates  on  an  input,  the  resulting  output  satisfies  the  specification).  Hoare  [1969]  turned 
this  into  a  calculus,  much  investigated  since,  based  on  the  construct  {P}S{Q}  representing 
"if  the  assertion  P  is  true  when  the  program  S  is  initiated,  then  assertion  Q  is  true  if  and 
when  the  program  S  terminates."  Burstall  [1974]  developed  a  method  for  showing  "total 
correctness"  (partial  correctness  plus  the  program  always  terminates).  He  follows  the 
execution  of  the  program  using  symbolic  (variable)  data,  using  mathematical  induction  to 
prove  general  assertions  about  what  happens  at  loops.  Burstall  himself  makes  the  point  that 
modalities  are  involved.  In  Burstall's  proofs  of  total  correctness,  assertions  to  be  proved  have 
the  form 

"(Stime  t)(at  time  t,  program  line  I  is  executed  and  P(t))". 

In  Floyd's  proofs  of  partial  correctness,  assertions  to  be  proved  have  the  form 
"(V  times  t)(  at  time  t,  program  line  1  is  executed  implies  P(t))". 

Pnueli  [1977]  systematized  the  modal  logic  suggested  by  Burstall  as  a  classical  logic 
augmented  by  □  ,  o  corresponding  to  Burstall's  suggestion. 

aP(t)  is  read  "always"  means  "now  and  in  the  future", 

«P(t)  is  read  "eventually"  and  means  "now  or  sometime  in  the  future". 

He  assumed  that  time  is  the  non-negative  integers  with  the  usual  order  and  introduced  a 
third  operator  o. 

oP(t)  is  read  "next  P"  and  means  "P(t+1)". 

These  modal  logics  clarified  program  correctness  proo&,  and  are  equally  suitable  for 
concurrent  or  perpetual  programs  such  as  operating  systems.  An  important  topic  is  fairness. 
This  takes  many  forms.  A  weak  one  is  that  a  continuously  active  process  will  eventually  be 
scheduled.  A  stronger  requirement  is  that  a  process  active  infinitely  often  will  be  scheduled. 
Another  is  that  a  process  which  is  active  at  least  once  will  be  scheduled.  All  these  can  be 
formulated  in  the  Pnueli  calculus  mentioned,  and  treated  as  program  specifications.  But 


stronger  notions,  such  as  that  of  two  processes,  the  one  that  is  active  first  will  be  scheduled 
sooner,  exceed  the  capacity  of  this  calculus.  Gabbay  et  al.  introduced  a  binary  connective  U, 
vUw,  read  “  u  until  w",  such  that 

(uUw)(t)  is  true  if  v(w)  is  true  at  sdl  times  w 
until  a  future  time  s  when  w(s)  is  true. 

Computer  science  applications  of  temporal  l(^c  are  a  thriving  specialty  in  their  own  right. 
There  are  many  contributions  to  the  specification  and  verification  of  sequential  and 
concurrent  systems. 

Multiple  believers.  Now  think  of  "agent  1  believes",  "agent  2  believes",  etc.  We  may  want 
all  these  operators  present  at  once  in  the  same  lo^c.  After  all,  what  one  agent  believes  or 
knows  does  not  necesssarily  coincide  with  what  another  believes  or  knows,  or  with  the 
common  beliefs  or  knowledge  of  several  agents.  One  objective  of  such  studies  is  to  analyze, 
model,  and  machine  simulate  rational  behavior  based  on  knowledge  and  belief.  These 
applications  generally  start  by  putting  down  reasonable  axioms  for  belief  or  knowledge,  and 
continue  by  trying  to  develop  methods  of  determining  whether  a  given  proposition  is  believed 
or  known  on  the  basis  of  other  propositions.  The  agents  themselves  may  be  machines,  and  we 
may  be  trying  to  reconcile  their  databases  (beliefs,  knowledge). 

Hintikka  [1962, 1971}  gave  a  Kripke  model  of  beliefs  of  multiple  agents.  In  its  simplest  form, 
there  is  one  set  of  possible  worlds,  but  a  different  accessibility  relation  for  each  agent,  and  an 
agent  believes  P  if  P  is  true  at  the  worlds  accessible  to  the  agent.  See  Halpern  and  Moses 
[1985]  for  a  survey  of  logics  of  knowledge  and  belief.  Also  see  Konolige  [1986, 1988]. 

•  Supported  by  NSF  grant  MCS-83-01850  and  ARO  contract  DAAG29-85-C-0018 

**  thanks  to  Prof.  Wiktor  Marek  for  §9  and  to  MSI  fellow  Duminda  Wijesekera  for  §13, 
and  to  Prof.  Andre  Deutz  for  his  help  in  the  preparation  of  this  paper. 

BIBLIOGRAPHY 

M.  Abadi  and  Zohar  Manna,  "Modal  theorem  proving",  LCNS  230, 172—188. 

H.  Barringer  [1985],  A  Survey  of  Verificaticn  Techniques  for  Parallel  Programs,  ICNS  191, 
Springer-Verlag. 

R  Brachman,  H.  Levesque,  R  Reiter,  eds.  [1989],  First  Conference  on  Principles  of 
Knowledge  Representation  and  Reasoning,  Toronto,  Canada,  May  15-18,1989. 

R  Burstall  [1974],  "Program  proving  as  hand  simulation  with  a  little  induction". 

Information  Processing  74, 308-^12. 

B.  F.  Chellas  [1980],  Modal  Logic:  An  Introduction,  Cambridge  University  Press. 


.•47  . 


E.  Clark,  E.  Emerson,  A.  Sistia,  [1986],  "Automatic  verification  of  finite  state  concurrent 
systems  using  temporal  logic  sp^ifications",,  ACM  Trans,  on  Programming 
Languages  and  Systems,  8,  244—263. 

D.  McDermott  and  J.  Doyle  [1980],  "Non-Monotonic  Logic  I",  Artificial  Intelligence  13, 


D.  McDermott  [1982],  "Non-monotonic  lo«c  11;  Nonmonotonic  modal  theories",  J.  ACM 
29,  33-57.", 

D.  Etherington  [1988],  Reasoning  with  Incomplete  Information,  Pitman,  London,  1988. 

R.  Fagin  and  J.  Y.  Halpern  [1988],  "Belief,  awareness,  and  limited  reasoning".  Artificial 
Intelligence  34,  39-76. 

L.  Farifias  del  Cerro  [1985],  "Resolution  modal  logics,  logique  et  analysee"  110/111. 

M.  Fitting  [1983],  Proof  Methods  for  Modal  and  Intnitionistic  Logics,  D.  Reidel, 

Dordrecht,  Holland. 

R.  Floyd  [1967],  "Assigning  meaning  to  programs",  Proc.  Symp.  in  Applied  Math.,  AMS 

19,  19-32. 

D.  Gabbay,  A.  Pneuli,  S.  Shelah  and  J.  Stavi  [1980],  "On  the  temporal  analysis  of 

fairness",  Proc.  7th  ACM  Symp.  on  Prin.  of  Programming  Languages,  163-173. 

A.  Gallon,  ed.  [1987],  Temporal  Logics  and  their  Applications,  Academic  Press,  N.Y. 

C.  Geissler  and  K.  Konolige,  "A  resolution  method  for  quantified  modal  logics  of 
knowledge  and  Belief",  in  J.  Y.  Halpern  [1986].  309-324. 

M.  Gelfond,  H.  Przymusinska,  and  T.  Przymusinska  [1986],"The  stable  model  semantics 
for  logic  programming",  in  R.  Kowalski  and  K.  Bowen,  eds.,  Proc.  of  the  5th  Logic 
Programnune  Symposium,  1070-1080,  Assoc,  for  Logic  Programming,  MIT  Press, 
Cambridge,  Mass. 

M.  Gelfond  [1987],  "On  stratified  autoepistemic  theories",  Proc.  AAAl-87,  Amer.  Assoc, 
for  ArtificisJ  Intelligence,  Morgan-Kaufmann,  Los  Altos,  CA,  1987. 

M.  Gelfond  [1989],  "Autoepistemic  logic  and  the  formalization  of  commonsense  reasoning". 
LNCS  346,  1 76-186. 

M.  Ginsberg  [1987],  Readings  in  Nonmonotonic  Reasoning,  Morgan  Kaufmann,  Los  Altos, 
Calif 

J.  Y.  Halpern  and  Y.  0.  Mose,  [1984],  "Knowledge  and  common  knowledge  in  a  distributed 
environment",  3rd  ACM  Conference  on  the  Principles  of  DistibutM  Computing, 
50-61.  (Revised  as  IBM  RJ  4421,  1984). 

J.  Y.  Halpern  and  Y.  0.  Moses  [1985],  "A  guide  to  modal  logics  of  knowledge  and  belief', 
in  Proc.  IJCAI,  Los  Angeles,  50-61. 

J.  Y.  Halpern  (Ed.)  [1986]  "Theoretical  aspects  of  reasoning  about  knowledge",  Proc.  1986 
Conf. 


48 


J.  Hintikka  [1962],  Knomedge  and  Belief,  Cornell  University  Press,  Ithaca,  N.Y. 

S.  Hanks  and  D.  McDermott  [198^,  “Nonnwnotonic  logic  and  temporal  projection". 
Artificial  Intelligence  33,  3/9-412. 

D.  Harel,  [1979],  "Dynamic  Logic",  in  Gabbay  and  Guenthner,  eds..  Handbook  of 
Philosophical  Logic  [1983/5]. 

J.  Hintikka  [1962],  Knowledge  and  Belief,  Cornell  University  Press,  Ithaca,  N.Y. 

C.  Hoare^^9],  "An  axiomatic  basis  for  computer  programming".  Comm.  ACM  12, 

G.  E.  Hughes  and  M.  J.  Cresswell  [1968],  Introduction  to  Modal  Logic,  Methuen,  London. 

S.  Kanger  [1957],  "A  note  on  quantification  and  modalities",  Theoria23, 133-4. 

K.  Konolige  [1986],  A  Deductive  Model  of  Belief,  Morgan  Kaufmann,  Inc.,  Los  Altos, 

California. 

K.  Konolige  [1988],  "On  the  relation  between  default  logic  and  autoepistemic  logic". 
Artificial  Intelligence  35,  343-382. 

D.  Kozen  and  R.  Parikh  [1982],  "An  elementary  proof  of  the  completeness  of  PDL",  Theor. 

Comp.  Sci.  14  (1981),  113-118. 

D.  Kozen  and  J.  Tiuryn  [1989],  "Logic  of  programs",  Cornell  University  Department  of 
Computer  Sdence  Report  no.  89-%2. 

S.  A.  Kripke  [1959],  "A  completeness  theorem  in  modal  logic",  J.  S.  L.  24, 1-15. 

S.  A.  Kripke  [1963],  "Semantical  considerations  on  modal  logic",  Acta  Phil.  Fennica  16, 
83-94. 

R.  E.  Ladner  [1977],  "The  computational  complexity  of  provability  in  systems  of  modal 
propositions  calculus",  SIAM  J.  of  Computing  6:3  467-480. 

A.  Loperic,  "On  the  method  of  valuations  in  modal  logic".  Math.  Logic  Proc.  1st  Brazilian 
Conf.,  N.  Da  Costa  and  R.  Chuaqui,  ed..  Letter  Notes  in  Pure  and  Applied  Math  39, 
Marcd  Dekker,  141-157. 

Z.  Manna  and  A.  Pnueli  [1981],  "Verification  of  concurrent  pn^rams:  the  temporal 

framework",  in  R.  S.  Boyer  and  J.  S.  Moore,  eds..  The  Correctness  Prooblem  in 
Computer  Science,  Academic  Press,  London,  215—273. 

W.  Marek  [1986],  "Stable  theories  in  autoepistemic  logic",  to  appear  in  Fundamenta 
Informaticae. 

W.  Marek  and  V.  Subrahmaniao  [1989],  "The  relationship  between  logic  program 
semantics  and  non-monotonic  reasoning",  Proc.  6tb  ICLP. 

W.  Marek  and  M.  Truszcwnski  [1988],  "Autoepistemic  logic".  Technical  report  115-88, 
Computer  Science  Department,  University  of  Kentucky. 


49 


V\  .  Marek  and  M.  Truszczynski  [1989K  "Stable  semantics  for  logic  programs  and  default 
theories",  TechnicsJ  Report  197-88,  Computer  Science  Department,  University  of 
Kentucky. 

W.  Marek  and  M.  Truszczynski  [1989],  "Relating  autoepistemic  and  default  logics",  in 
Brachmann  et  al.  [1989]. 

R.  C.  Moore  [1985],  "Semantical  considerations  on  nonmonotonic  logic",  Artificial 
Intelligence  25  (1). 

R.  C.  Moore  [1988],  "Autoepistemic  logic",  in  Smets  et  al. 

P.  H.  Morris  [1989],  "Autoepistemic  stable  closure  and  contradiction  resolution",  LNCS 
346,  60-73. 


I.  Niemala  [1988],  "Decision  method  for  autoepistemic  logic",  Proc.  9th  Inter.  Conf.  on 
Automated  Deduction,  Argonne,  Ill. 

I.  Niemala  [1988],  "Autoepistemic  predicate  logic",  Research  report  A-6,  Digital  Systems 
Laboratory,  Helsinki  University  of  Technology,  Espoo,  Finland. 

D.  Peleg  [1987],  "Concurrent  dynamic  logic",  JACM  34:2,  450—479. 

A.  Pnueli  [1977],  "The  temporal  logic  of  programs",  Proc.  18th  IEEE  Symp.  on  Found,  of 
Comp.  Science,  46-67. 

V.  Pratt  [1976],  "Semantical  considerations  on  Floyd-Hoare  logic",  17th  Annual  IEEE 
Symp.  on  Found.  Comp.  Sci.,  New  York,  109-121. 

'’ratt  [1980],  "Applications  of  modal  logic  to  programming",  Studia  Logica  39,  257-274. 

Prior  [1967],  Past,  Present,  and  Future,  Oxford:  Clarendon  Press. 

'  1  Reinfrank,  J.  de  Kleer,  M.  L.  Ginsberg  and  E.  Sandewall  (Eds.)  [1989]  Non-Monotonic 
Reasoning  Berlin:  Springer— Verlag 

•:  Reiter  [1980],  "A  logic  for  default  reasoning".  Artificial  Intelligence  13  (1-2). 

r  Reiter  [1987],  "Nonmonotonic  reasoning",  Ann.  Rev.  Comp.  Sci.  2, 147-186. 

'i  Shoham  [1988],  Reasoning  about  Change,  MIT  Press,  Cambridge,  MA 

j  F.  Shvarts  [1989],  "Fixed-points  of  non-monotonic  modal  theories",  mss. 

P  Smets,  E.  H.  Mamdani,  D.  Dubois,  H.  Prade  [1989],  Non-Standard  Logics  for 
Automated  Reasoning,  Academic  Press,  New  York. 

R.  Smullyan  [1968],  First  Order  Logic,  Springer  Verlag,  New  York. 

R.  Stalnaker,  [1980],  "A  note  on  non-monotonic  modal  logic".  Department  of  Philosophy, 
Cornell  University,  Ithacsi,  N.Y.  (unpublished). 

A.  Troelstra  and  D.  van  Dalen  [1988],  Constructivism  in  Mathematics,  vol.  1,  2,  North 


50 


Holland,  Amsterdam. 

R.  Turner  [1984],  Logics  for  Artificial  Intelligence,  Chichester:Ellis— Horwood. 

J.  van  Benthem  [1983],  The  Logic  of  Time,  Reidel,  Dordrecht. 

J.  van  Benthem  [19841,  "Correspondence  theory,"  in  D.  Gabbay  and  F.  Guenther,  eds.. 
Handbook  of  Philosophical  Logic,  vol.  II,  Reidel,  Dordrecht. 

J.  van  Benthem  [1985],  Modal  Logic  and  Classical  Logic,  Bibliopolis,  Napoli. 

J.  van  Benthem  [1988],  A  Manual  of  Intensional  Logic,  2nd  ed.,  CSLI,  Stanford. 

M.  Var(h  [1985],  "On  epistemic  logic  and  logical  omniscience",  in  J.  Y.  Halpern, 
293-305. 

M.  Vardi  [1989],  "On  the  complexity  of  epistemic  reasoning",  LlCS  1989,  IEEE, 
243-246. 


M.  Xiwen  and  G.  Weide  [1983],  "A  modal  logic  of  knowledge",  8th  IJCAl,  398-401. 


